隱私 數(shù)據(jù)保護(hù) 和網(wǎng)絡(luò)安全 法律評(píng)論

ThePrivacy,

DataProtectionandCybersecurityLawReview

Editor

AlanCharlesRaul

LawBusinessResearch

ThePrivacy,DataProtectionandCybersecurityLawReview

ThePrivacy,DataProtectionandCybersecurityLawReviewReproducedwithpermissionfromLawBusinessResearchLtd.

ThisarticlewasfirstpublishedinThePrivacy,DataProtectionandCybersecurityLawReview-Edition1

(publishedinNovember2014–editorAlanCharlesRaul).

Forfurtherinformationpleaseemail

Nick.Barette@

ThePrivacy,

DataProtectionandCybersecurityLawReview

Editor

AlanCharlesRaul

LawBusinessResearchLtd

THELAWREVIEWS

THEMERGERSANDACQUISITIONSREVIEWTHERESTRUCTURINGREVIEW

THEPRIVATECOMPETITIONENFORCEMENTREVIEWTHEDISPUTERESOLUTIONREVIEW

THEEMPLOYMENTLAWREVIEW

THEPUBLICCOMPETITIONENFORCEMENTREVIEWTHEBANKINGREGULATIONREVIEW

THEINTERNATIONALARBITRATIONREVIEWTHEMERGERCONTROLREVIEW

THETECHNOLOGY,MEDIAANDTELECOMMUNICATIONSREVIEW

THEINWARDINVESTMENTANDINTERNATIONALTAXATIONREVIEW

THECORPORATEGOVERNANCEREVIEWTHECORPORATEIMMIGRATIONREVIEW

THEINTERNATIONALINVESTIGATIONSREVIEWTHEPROJECTSANDCONSTRUCTIONREVIEWTHEINTERNATIONALCAPITALMARKETSREVIEWTHEREALESTATELAWREVIEW

THEPRIVATEEQUITYREVIEW

THEENERGYREGULATIONANDMARKETSREVIEWTHEINTELLECTUALPROPERTYREVIEW

THEASSETMANAGEMENTREVIEW

THEPRIVATEWEALTHANDPRIVATECLIENTREVIEWTHEMININGLAWREVIEW

THEEXECUTIVEREMUNERATIONREVIEW

THEANTI-BRIBERYANDANTI-CORRUPTIONREVIEWTHECARTELSANDLENIENCYREVIEW

THETAXDISPUTESANDLITIGATIONREVIEWTHELIFESCIENCESLAWREVIEW

THEINSURANCEANDREINSURANCELAWREVIEWTHEGOVERNMENTPROCUREMENTREVIEWTHEDOMINANCEANDMONOPOLIESREVIEW

THEAVIATIONLAWREVIEW

THEFOREIGNINVESTMENTREGULATIONREVIEWTHEASSETTRACINGANDRECOVERYREVIEWTHEINTERNATIONALINSOLVENCYREVIEW

THEOILANDGASLAWREVIEWTHEFRANCHISELAWREVIEW

THEPRODUCTREGULATIONANDLIABILITYREVIEWTHESHIPPINGLAWREVIEW

THEACQUISITIONANDLEVERAGEDFINANCEREVIEW

THEPRIVACY,DATAPROTECTIONANDCYBERSECURITYLAWREVIEW

www.TheLawReviews.co.uk

PUBLISHER

GideonRoberton

BUSINESSDEVELOPMENTMANAGER

NickBarette

SENIORACCOUNTMANAGERS

KatherineJablonowska,ThomasLee,JamesSpearing

ACCOUNTMANAGER

FelicityBown

PUBLISHINGCOORDINATOR

LucyBrewer

MARKETINGASSISTANT

DominiqueDestrée

EDITORIALASSISTANT

ShaniBans

HEADOFPRODUCTIONANDDISTRIBUTION

AdamMyers

PRODUCTIONEDITOR

TimothyBeaver

SUBEDITOR

JaninaGodowska

MANAGINGDIRECTOR

RichardDavey

PublishedintheUnitedKingdombyLawBusinessResearchLtd,London

87LancasterRoad,London,W111QQ,UK

?2014LawBusinessResearchLtd

www.TheLawReviews.co.uk

Nophotocopying:copyrightlicencesdonotapply.

Theinformationprovidedinthispublicationisgeneralandmaynotapplyinaspecificsituation,nordoesitnecessarilyrepresenttheviewsofauthors’firmsortheirclients.Legaladviceshouldalwaysbesoughtbeforetakinganylegalactionbasedontheinformationprovided.Thepublishersacceptnoresponsibilityforanyactsoromissionscontainedherein.AlthoughtheinformationprovidedisaccurateasofNovember2014,beadvisedthatthisisadevelopingarea.

EnquiriesconcerningreproductionshouldbesenttoLawBusinessResearch,attheaddressabove.Enquiriesconcerningeditorialcontentshouldbedirected

tothePublisher–

gideon.roberton@

ISBN978-1-909830-28-8

PrintedinGreatBritainbyEncompassPrintSolutions,Derbyshire

Tel:08442480112

ACKNOWLEDGEMENTS

i

Thepublisheracknowledgesandthanksthefollowinglawfirmsfortheirlearnedassistancethroughoutthepreparationofthisbook:

ASTREA

BALLAS,PELECANOS&ASSOCIATESLPCBOGSCH&PARTNERSLAWFIRMDUNAUDCLARENCCOMBLES&ASSOCIéSELIG,ATTORNEYS-AT-LAW

JONESDAYKIM&CHANGNNOVATIONLLP

NOERR

PINHEIRONETOADVOGADOSSANTAMARINAYSTETA,SCSIDLEYAUSTINLLP

SYNCHADVOKATAB

URíAMENéNDEZABOGADOS,SLPWINHELLERRECHTSANWALTSGESELLSCHAFTMBH

CONTENTS

PAGE\*roman

iii

Editor'sPreface v

AlanCharlesRaul

Chapter1 EUROPEANUNIONOVERVIEW 1

WilliamLong,GéraldineScaliandAlanCharlesRaul

Chapter2 APECOVERVIEW 19

CatherineValerioBarradandAlanCharlesRaul

Chapter3 BELGIUM 31

StevenDeSchrijverandThomasDaenens

Chapter4 BRAZIL 43

AndréZonaroGiacchettaandCiroTorresFreitas

Chapter5 CANADA 54

ShaunBrown

Chapter6 FRANCE 70

MeravGriguer

Chapter7 GERMANY 83

Jens-MarwinKoch

Chapter8 GREECE 98

GeorgeBallasandTheodoreKonstantakopoulos

Chapter9 HONGKONG 113

YuetMingThamandJoanneMok

Chapter10 HUNGARY 127

TamásG?d?lleandPéterKoczor

PAGE\*roman

iv

Contents

Chapter11 ITALY 142

StefanoMacchidiCellere

Chapter12 JAPAN 156

TakahiroNonaka

Chapter13 KOREA 170

JinHwanKim,BrianTae-HyunChung,JenniferSKehandInHwanLee

Chapter14 MEXICO 180

CésarGCruz-AyalaandDiegoAcosta-Chin

Chapter15 RUSSIA 194

VyacheslavKhayryuzov

Chapter16 SINGAPORE 204

YuetMingTham,IjinTanandTeenaZhang

Chapter17 SPAIN 219

CeciliaálvarezRigaudiasandReyesBermejoBosch

Chapter18 SWEDEN 230

JimRunstenandCharlottaEmtefall

Chapter19 TURKEY 241

G?nen?Gürkaynakand?layY?lmaz

Chapter20 UNITEDKINGDOM 253

WilliamLongandGéraldineScali

Chapter21 UNITEDSTATES 268

AlanCharlesRaul,TashaDManoranjanandVivekMohan

Appendix1 ABOUTTHEAUTHORS 295

Appendix2 CONTRIBUTINGLAWFIRMS'CONTACTDETAILS 309

PAGE\*roman

v

EDITOR’SPREFACE

ThefirsteditionofThePrivacy,DataProtectionandCybersecurityLawReviewappearsatatimeofextraordinarypolicychangeandpracticalchallengeforthisfieldoflawandregulation.IntheUnitedStates,massivedatabreacheshaveviedwithEdwardSnowdenandforeignstate-sponsoredhackingtomakethebiggestimpressiononbothpolicymakersandthepublic.InEurope,the‘righttobeforgotten’,thedraconiannewpenaltiesproposedinthedraftDataProtectionRegulationandtheSnowdenleaks,havesignificantlyalteredthepolicylandscape.

Moreover,thefreneticconversionoftheglobaleconomytoanincreasinglydigital,internet-drivenmodelisalsostimulatingarapidchangeinprivacy,dataprotectionandcybersecuritylawsandregulations.Governmentsareplayingcatch-upwithtechnologicalinnovation.Itisreportedthathalftheworld’spopulationwillbeonlineby2016andtheeconomiesofemergingnations(except,perhaps,inAfrica)arebeingdevelopeddirectlythroughelectroniccommerceratherthantakingtheintermediatestepofindustrialgrowthasWesterneconomiesdid.Growthandchangeinthisareaisaccelerating,andrapidchangesinlawandpolicyaretobeexpected.

InFrance,whistle-blowinghotlinesaremeticulouslyregulated,butnow,incertainkeyareaslikefinancialfraudorcorruption,advanceauthorisationforthehotlinesisautomaticundera2014legalamendment.InSingapore,2014sawthefirstenforcementmatterunderthatcountry’sPersonalDataProtectionAct–imposingafinancialpenaltyonacompanythatsentunsolicitedtelemarketingmessages.InRussia,anew2014‘forcedlocalisation’lawrequiresdataaboutRussianstobestoredonserversin-countryratherthanwhereverthedatacanbemostefficientlymanagedandprocessed,andjurisdictionsaroundtheworldhavedebatedenactingsuchproposals.Interestingly,whilenoticeofthelocationoftherelevantserversmustbeprovidedtotheRussiandataprotectionauthority,itisnotclearwhetherthelawprohibitspersonaldatatobesimultaneouslystoredbothin-countryandinforeignservers.

TheEuropeanUnioncontinuestoseektoextenditsmodelfordataprotectionregulationaroundtheworldbydeemingonlycountriesthatadoptthe‘omnibus’legislativeapproachoftheEUtobe‘a(chǎn)dequate’fordataprotectionpurposes.TheEUmodelisnotbeinguniversallyendorsed,evenoutsidetheUSandtheAsiaandPacific

Editor’sPreface

PAGE\*roman

viii

EconomicCooperation(APEC)economies.Butnonetheless,theEU’sconstraintsoninternationaldatatransfershavesubstantiallyinhibitedtheabilityofmultinationalcompaniestomovepersonaldataaroundtheworldefficientlyforbusinesspurposes.Inparticular,conflictswiththeUSabound,exacerbatedbytheSnowdenleaksregardingUSgovernmentsurveillance.OneoftheprimarymethodsbywhichsuchEU–USdataflowsarefacilitated,theUS–EUSafeHarborregime,hascomeunderattackfromEUparliamentarianswhobelievethatsuchinformationwillnotbeascarefullyprotectedintheUSandcouldbecomemoresusceptibletosurveillance,despitethecomparablesurveillanceauthoritiesofEUintelligenceagencies.

WhilepolicyconflictsoverdataprotectionconflictsappearedtobemoderatingbeforetheSnowdenleaks,afterwards,officialsaroundtheworldprofessedtobesoshockedthatgovernmentswereconductingsurveillanceagainstpossibleterroriststhattheyappeartohavedecidedthatUSconsumercompaniesshouldpaytheprice.Someobserversbelievethatdigitaltradeprotection,andthedesiretopromoteregionalornational‘clouds’,playsomeroleintheantagonismleveledagainstUSinternetandtechnologycompanies.

ThefactthattheUSdoesnothaveanomnibusdataprotectionlaw,andthusdoesnothaveatop-levelprivacyregulatororcoordinator,meansthatithasbeendifficultfortheUStoexplainandadvocateforitsapproachtoprotectingpersonalinformation.ThishasallowedtheEUtofillaperceivedpolicyvoidbydenyingmutualrecognitiontoUSpractices,andtoimposesignificantextraterritorialregulatoryconstraintsonAmericanandothernon-Europeanbusinesses.

Nevertheless,itcannotbedeniedthatprivacyenforcementintheUSisdistinctlymoreaggressiveandpunitivethananywhereelseintheworld,includingtheEU.SubstantialinvestigationsandfinancialrecoverieshavebeenconductedandachievedbytheFederalTradeCommission(whichhascomprehensivejurisdictionoverconsumerdataandbusinesspractices),50stateattorneysgeneral(whohaveevenbroaderjurisdictionoverconsumerprotectionandbusinessactsandpractices),privateclassactionlawyerswhocanbringbroadlegalsuitsinfederalandstatecourts,andaplethoraofotherfederalandstateagencies,suchastheConsumerFinancialProtectionBureau,theFederalCommunicationsCommission,theDepartmentofHealthandHumanServices(formedicalandhealth-caredata),theDepartmentofEducation,theSecuritiesandExchangeCommissionandvariousbankingandinsuranceagencies.

Insum,therearenoshortageofprivacyregulatorsandenforcersintheUS,Europe,andAsia.EnforcementinSouthAmerica,aswellasAfricaandtheMiddleEastappearstobedevelopingmoreslowly.

Trumpingmanyotherprivacyconcerns,however,isthespateofdatabreachesandhackingthathavebeenepidemicandpartofpublicdiscourseintheyearsfollowingCalifornia’senactmentofthefirstdatabreachnotificationlawin2003.WhiletheUSappears(asaconsequenceofmandatoryreporting)tobesufferingthebulkofmajorcyberattacks–onretailers,financialinstitutionsandcompanieswithintellectualpropertyworthstealingbyforeigncompetitorsorgovernments–itisalsotruethattheUSisleadingtherestoftheworldondatabreachnotificationlawsandlawsrequiringthatcompaniesadoptaffirmativedatasecuritysafeguardsforpersonalinformation.

Forcorporateandcriticalinfrastructurenetworksanddatabases,theUShasalsoledthewaywithapresidentialexecutiveorderandtheCybersecurityFramework

developedbytheNationalInstituteofStandardsandTechnologyintheUSDepartmentofCommerce.TheUnitedKingdomhasalsobeenaleaderinthisarea,developingtheUKCyberEssentialsprogramme,whichwillsoonincludeanoptionforcompaniestobecertifiedascompliantwiththeprogramme’scybersecuritystandards.TheEUParliamenthasalsoenactedcybersecuritydirectives,andtheEU’sEuropeanNetworkandInformationSecurityAgencyhasprovidedextensiveandexpertanalysis,guidanceandrecommendationsforpromotingcybersecurityforEU-basedorganisations.

Despiteattemptstoimplementbaselinesforcybersafeguards,itappearsthatnooneisimmuneandnoorganisationissufficientlyprotectedtohaveanyconfidencethatitcanavoidbeingthevictimofsuccessfulcyberattacks,particularlybythesophisticatedhackersemployedbystatesponsors,organisedcrime,socialhacktivistsordetermined,renegadeinsiders(likeSnowden).Governmentagenciesandhighlyresourcedprivatecompanieshavebeenunabletopreventtheirnetworksfrombeingpenetrated,andsometimesarelikelytoidentify‘a(chǎn)dvancedpersistentthreats’monthsafterthemalwarehasbegunexecutingitsmaliciouspurposes.Thisphenomenallydestructivesituationcannotobtain,andpresumablysomemoreeffectivesolutionswillhavetobeidentified,developedandimplemented.Whatthoseremedieswillbe,however,isnotatallclearas2014yieldsto2015.

Inthecomingyear,itwouldseemplausiblethattherecouldbeeffortsatinternationalcooperationoncybersecurityaswellascross-borderenforcementagainstprivacyviolators.EnforcersintheEU,USandamongtheAPECeconomies,mayincreasinglyagreetoworktogethertopromotethesharedvaluesembodiedinthe‘fairinformationpracticesprinciples’thatarecommontomostnationalprivacyregimes.Inearly2014,astepinthisdirectionwastakenwhenAPECandtheEuropeanUnion’sArticle29WorkingParty(onDataProtection)jointlyreleasedaframeworkbywhichinternationaldatatransferscouldbeeffectuatedpursuanttotheguidelinesofbothorganisations.

Challengesandconflictswillcontinuetobefactorswithrespectto:assurancesofprivacyprotection‘inthecloud’;commonunderstandingsoflimitsonandtransparencyofgovernmentaccesstopersonaldatastoredeitherinthecloud,orbyinternetcompaniesandserviceproviders;differencesabouthowandwheninformationcanbecollectedinEurope(andperhapssomeothercountries)andtransmittedtotheUSforcivildiscoveryandlawenforcementorregulatorypurposes;freedomofexpressionforinternetpostsandpublications;theabilityofcompaniestomarketontheinternetandtotrack–andprofile–usersonlinethroughcookiesandotherpersistentidentifiers;andthedeploymentofdronesforcommercialandgovernmentaldataacquisitionpurposes.

Thebiggestloomingissueofthemall,however,willlikelybe‘bigdata’.Thisisahighlypromisingpractice–basedondatascienceandanalytics–thatcollectsandusesenormousquantitiesofdisparate(andoftenunstructured)data,andappliescreativenewalgorithmsenabledbyvastlycheaperandmorepowerfulcomputerpowerandstorage.Bigdatacandiscoverhelpfulnewpatternsandmakeusefulnewpredictionsabouthealthproblems,civicneeds,commercialefficiencies,andyes,consumerinterestsandpreferences.

ThepotentialsocialutilityofbigdatahasbeenunequivocallyacknowledgedbytheUSadministrationaswellasbythekeypolicymakersintheEU.But,bigdatachallengestheexistingprivacyparadigmofnoticeanddisclosuretoindividualswhoarethenfreeto

makechoicesabouthowandwhentheirdatacanbeusedandcollected.Manyexistingandproposedapplicationsofbigdataonlyworkifthevaststoresofdatacollectedbytoday’scompaniescanbemaintainedandanalysedirrespectiveofpurposelimitations.Suchlimitationsmayhavebeenrelevant(anddisclosed)atthepointofcollection,butnolongeraddressthevalueofthedatatocompaniesandconsumerswhocanbenefitfrombigdataapplications.NumeroushighlythoughtfulreportsbypolicymakersintheUSandEUhavenotedconcernsaboutthepossibilitythatunfetteredbigdataapplicationscouldresultinhiddendiscriminationagainstcertaindemographicgroupsthatmightbedifficulttoidentifyandcorrect;orcouldresultinundueprofilingofindividualsthatmightinhibittheirautonomy,limittheirfinancial,employment,insuranceorevenserendipitouschoices,orpossiblysomehowencroachontheirpersonalprivacy(totheextentthatotherwiseaggregateoranonymousdatacanbere-identified).

Thispublicationarrivesatatimeofenormousfermentforprivacy,dataprotectionandcybersecurity.Readersareinvitedtoprovideanysuggestionsforthenexteditionofthiscompendium,andwelookforwardtoseeinghowthemanyfascinatingandconsequentialissuesaddressedherewillevolveordevelopinthenextyear.

AlanCharlesRaulSidleyAustinLLPWashington,DCNovember2014

PAGE

268

Chapter21

UNITEDSTATES

AlanCharlesRaul,TashaDManoranjanandVivekMohan1

OVERVIEW

Thoughnotuniversallyacknowledged,theUnitedStates’commercialprivacyregimeisarguablytheoldest,mostrobust,welldevelopedandeffectiveintheworld.TheUnitedStates’privacysystemhasarelativelyflexibleandnon-prescriptivenature,relyingmoreonposthocgovernmentenforcementandprivatelitigation,andonthecorrespondingdeterrentvalueofsuchenforcementandlitigation,thanondetailedprohibitionsandrules.Withcertainnotableexceptions,theUSsystemdoesnotapplya‘precautionaryprinciple’toprotectprivacy,butrather,allowsinjuredparties(andgovernmentagencies)tobringlegalactiontorecoverdamagesfor,orenjoin,‘unfairordeceptive’businesspractices.However,USfederallawdoesimposeaffirmativeprohibitionsandrestrictionsincertaincommercialsectors,suchasthoseinvolvingfinancialandmedicaldata,andelectroniccommunications,aswellaswithrespecttochildren’sprivacy,backgroundinvestigationsand‘consumerreports’forcreditoremploymentpurposes,andcertainotherspecificareas.Statelawsaddnumerousadditionalprivacyrequirements.

LegalprotectionofprivacyincivilsocietyhasbeenrecognisedintheUScommonlawsince1890whenthearticle‘TheRighttoPrivacy’waspublishedintheHarvardLawReviewbyProfessorsSamuelDWarrenandLouisDBrandeis.Moreover,fromitsconceptionbyWarrenandBrandeis,theUSsystemforprotectingprivacyinthecommercialrealmhasbeenfocusedonaddressingtechnologicalinnovation.TheHarvard

1 AlanCharlesRaulisapartnerandTashaDManoranjanandVivekMohanareassociatesatSidleyAustinLLP.Passagesofthischapterwereoriginallypublishedin‘Privacyanddata

protectionintheUnitedStates’,TheDebateonprivacyandsecurityoverthenetwork:Regulationandmarkets,2012,FundaciónTelefónica;andRaulandMohan,‘TheStrengthoftheU.S.CommercialPrivacyRegime’,31March2014,amemorandumtotheBigDataStudyGroup,USOfficeofScienceandTechnologyPolicy.

UnitedStates

PAGE

269

professorsastutelynotedthat‘[r]ecentinventionsandbusinessmethodscallattentiontothenextstepwhichmustbetakenfortheprotectionoftheperson,andforsecuringtotheindividual[…]theright“tobeletalone”’.In1974,CongressenactedthefederalPrivacyAct,regulatinggovernmentdatabases,andfoundthat‘therighttoprivacyisapersonalandfundamentalrightprotectedbytheConstitutionoftheUnitedStates’.ItisgenerallyacknowledgedthattheUSPrivacyActrepresentedthefirstofficialembodimentofthefairinformationprinciplesandpracticesthathavebeenincorporatedinmanyotherdataprotectionregimes,includingtheEuropeanUnion’s1995DataProtectionDirective.

TheUShasalsoledthewayfortheworldnotonlyonestablishingmodellegaldataprotectionstandardsinthe1974PrivacyAct,butalsointermsofimposingaffirmativedatabreachnotificationandinformationsecurityrequirementsonprivateentitiesthatcollectorprocesspersonaldatafromconsumers,employeesandotherindividuals.ThestateofCaliforniawasthepathbreakerondatasecurityanddatabreachnotificationbyfirstrequiringin2003thatcompaniesnotifyindividualswhosepersonalinformationwascompromisedorimproperlyacquired.Sincethen,approximately47states,theDistrictofColumbiaandotherUSjurisdictions,andthefederalbanking,health-careandcommunicationsagencieshavealsorequiredcompaniestoprovidemandatorydatabreachnotificationtoaffectedindividuals,andimposedaffirmativeadministrative,technicalandphysicalsafeguardstoprotectthesecurityofsensitivepersonalinformation.Dozensofothermedicalandfinancialprivacylawsalsoexistinvariousstates.Thereis,however,nosingleomnibusfederalprivacylawintheUS.Moreover,thereisnodesignatedcentraldataprotectionauthorityintheUS,thoughtheFederalTradeCommission(FTC)hasessentiallyassumedthatroleforconsumerprivacy.TheFTCisindependentofthePresident,andisnotobliged(thoughitisencouraged)torespecttheAdministration’sperspectiveontheproperbalancebetweencostsandbenefitswithrespecttoprotectingdataprivacy.

AsintheEUandelsewhere,privacyanddataprotectionarebalancedintheUS

inaccordancewithotherrightsandintereststhatsocietiesneedtoprosperandflourish,namely,economicgrowthandefficiency,technologicalinnovation,propertyandfreespeechrightsand,ofcourse,thevaluesofpromotinghumandignityandpersonalautonomy.ThemostsignificantfactorincounterbalancingprivacyprotectionsintheUS,perhaps,istherighttofreedomofexpressionguaranteedbytheFirstAmendment.Preservingfreespeechrightsforeveryonecertainlyentailscomplicationsfora‘righttobeforgotten’sinceoneperson’sdesireforoblivionmayruncountertoanother’ssenseofnostalgia(orsomeotherdesiretomemorialisethepastforgoodorill).

TheFirstAmendmenthasalsobeeninterpretedtoprotectthepeople’srighttoknowinformationofpublicconcernorinterest,evenifittrenchestosomeextentonindividualprivacy.CompanieshavealsobeendeemedtohaveaFirstAmendmentrighttocommunicaterelativelyfreelywiththeircustomersbyexchanginginformationinbothdirections(subjecttotheinformationbeingtruthful,notmisleading,andotherwisenotthesubjectofanunfairordeceptivebusinesspractice).

ThedynamicandrobustsystemofprivacygovernanceintheUnitedStatesmarshalsthecombinedfocusandenforcementmuscleoftheUSFederalTradeCommission,stateattorneysgeneral,theFederalCommunicationsCommission,theSecuritiesandExchangeCommission,theConsumerFinancialProtectionBureau(andotherfinancialandbankingregulators),theDepartmentofHealthandHumanServices,

theDepartmentofEducation,thejudicialsystem,andlast–butcertainlynotleast–thehighlymotivatedandaggressiveUSplaintiffs’bar.Takentogether,thisenforcementecosystemhasproventobenimble,flexible,andeffectiveinadaptingtorapidlychangingtechnologicaldevelopmentsandpractices,respondingtoevolvingconsumerandcitizenexpectations,andservingasameaningfulagentofdeterrenceandaccountability.Indeed,theUSenforcementandlitigation-basedapproachappearstobeparticularlywellsuitedtodealwith‘recentinventionsandbusinessmethods’–namely,newtechnologiesandmodesofcommerce–thatposeeverchangingopportunitiesandunpredictableprivacychallenges.

THEYEARINREVIEW

AswithnearlyotherareaofrecentlegislativeactivityinWashington,Congresshasnotbeenabletoactonprivacy,consumerdatasecurity,databreachnotificationorcybersecuritylegislation.WhiletheAdministrationofPresidentObamahascalleduponCongresstoenacta‘ConsumerPrivacyBillofRights’andlegislationtohelpprotectcybersecurityfor‘criticalinfrastructure’,partisangridlock,aswellasconcernaboutover-regulatingtheprivatesector,hasstalledaction.Thecongressionalstalematewasconsiderablyshakenup,however,whenformerNationalSecurityAgency(NSA)contractorEdwardSnowdenleakedinformationregardingUSgovernmentsurveillanceprogrammestoTheGuardianandTheWashingtonPostinthesummerof2013.ThissparkedamediafrenzyaroundvariousNSAsurveillanceprogrammes.SomeoftheallegationsconcernedunauthorisedsurveillanceofUScitizensorforeignintelligencetargetswithintheUnitedStates,whileotherssuggestedwidespreadsurveillanceoutsidetheUS.

Asaresultofthesedisclosures,foreigngovernments,includingwithintheEuropeanUnion,expressedconcernregardingthebreadthofNSAsurveillanceoutsidetheUnitedStates.Forexample,theEUArticle29WorkingPartysentalettertoEUJusticeCommissionerVivianeRedingsuggestingapossibleinvestigationofviolationsbytheUSoftheEU’sdataprotectionrules.2

ThemediaandpoliticalfirestormsurroundingtheSnowdendisclosureshasledtheexecutivebranchtointroduceproposalsregardingNSAandcommercialdatacollectionprocesses.Inadditiontoitsproposalsforreformsofthegovernment’sbulkmetadatasurveillance,theWhiteHousehasalsoissuedreportsandrecommendationsfordatacollectionintheprivatebigdatasector.Followingcloselyonthis,on29MaytheFTCissuedamuchanticipatedreportonbigdatathatheavilycriticisedthelackoftransparencyinthedatabrokeringindustry,offeredrecommendationsforconsumercontrolofinformationandadvocatedforbroadlegislationthatwouldnotonlycreateobligationsforanalyticscompanies,butalsoforretailersthatmayprovidethemwithinformation.Significantly,however,thereportdoesnotsuggestthatanycurrentdatabrokerpracticesareillegalunderexistinglaw.

SeeJacobKohnstamm,ChairmanofEUArticle29WorkingParty,lettertoVivianeReding(13August2013),availableat

http://ec.europa.eu/justice/data-protection/article-29/

documentation/other-document/files/2013/20130813_letter_to_vp_reding_final_en.pdf.

Cybersecurityremainsahottopic,althoughexpectationsforcongressionalactionremainuncertain.Legislativeactioninthestatescontinues,withKentuckybecomingthe47thstatetohavepasseddatabreachnotificationlegislation.Severalstateshavealsoamendedexistinglawstoexpandbreachobligations.

FTCactions

TheFTCannouncedon21January2014thatithadenteredintono-faultconsentorderswith12companiesthatallegedlyclaimedtheywereincompliancewiththeUS–EUandUS–SwitzerlandSafeHarborprogrammeswheninfacttheircertificationshadlapsed.Theagreementcoversseverallargebusinesses,includingthreeNFLfootballteamsandLevel3CommunicationsLLC,oneofthelargestinternetserviceprovidersintheworld.TheSafeHarborprogrammerequirescompaniestoannuallyre-certifytheircompliancewiththeSafeHarborframework.TheFTCchargedthatbyincludingstatementsint