FTC Modifies ChoicePoint Consent Order and Imposes Stricter Compliance

By Mehmet Munur

The Federal Trade Commission announced today that it had entered into a modified consent agreement with ChoicePoint due to ChoicePoint’s inability to live up to the original consent agreement entered into in 2006.

The FTC entered into a consent agreement with ChoicePoint was due to compromise of 163,000 financial records and at least 800 cases of identity theft. The breach was possibly a watershed moment in data breaches and brought attention to data aggregators. ChoicePoint paid $10 million in civil fines, $5 million in consumer redress, and countless millions of dollars in forwent business opportunities, attorneys’ fees, and settlement fees for lawsuits. ChoicePoint also agreed to “establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers” which would be subject to an audit every two years.

The FTC press release for the most recent consent order notes that ChoicePoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off.” As a result, ChoicePoint, since acquired by Reed Elsevier, compromised the personal information of approximately 13,750 individuals. ChoicePoint must now pay a fine of $275,000 and report to the FTC every two months for two years. The FTC also increased the final data by which ChoicePoint would be subject to biennial audits by two years to 2028. The new consent order may be found here.

The FTC enforcement reiterates FTC's attitudes about privacy promises. Such scrutiny by the FTC will certainly be burdensome for ChoicePoint and require it to step up its information security operation or face even more fines and enforcement from the FTC.

Read More...

FTC Settles with Six Companies with Lapsed Safe Harbor Certifications

By Mehmet Munur

On October 6, 2009, Federal Trade Commission filed six complaints against companies falsely claiming that they were self-certified to the Department of Commerce EU Safe Harbor when their certification had lapsed. This FTC action should serve as a reminder to Safe Harborites either to keep up their annual recertification or to avoid misrepresenting that they are self-certified to the Safe Harbor.

The EU Safe Harbor is one of the methods allowing US corporations to export data from the EU while complying with the Article 25 of the EU data Protection Directive, which requires that data only be transferred to countries with adequate data protections—with exceptions. The Department of Commerce, European Commission, and the Article 29 Working Party negotiated the Safe Harbor. US companies self-certify for the Safe Harbor and the DoC maintains a list of these companies on its export.gov website. However, the Federal Trade Commission and the Department of Transportation have the authority to enforce the Safe Harbor. While the Safe Harbor plays a crucial role for multinational corporations in transferring personal data from the EU without violating the EU Data Protection Directive’s adequacy requirements, now more than ever, failure to abide by the Safe Harbor requirements can result in enforcement actions by the FTC.

Six companies, World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive GaitWays LLC, each represented that they were self-certified to the Safe Harbor when in fact their certification had not been renewed for several years. At least three of the companies had failed to either recertify or remove their representations related to their certification from their websites for two to three years. For example, ExpatEdge had certified for the Safe Harbor in 2002 but had failed to recertify since 2006. Onyx Graphics had certified in 2006 but failed to recertify since 2007. Progressive GaitWays had certified in 2004 but failed to recertify since 2006. Since the FTC enforcement, the remaining three companies have recertified for the Safe Harbor.

The six companies each entered into consent agreements with the FTC related to their infringing activities. The consent agreements are similar to the previous FTC settlement on the Safe Harbor. The consent agreements prohibit any of the companies from “misrepresent[ing] in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.” Furthermore, the companies must make all documents related to compliance with the consent agreement available for inspection for the next 5 years.

In our previous blog post, we had stated that the FTC’s enforcement was tacked onto other issues related shipment of goods. This time the FTC has squarely addressed Safe Harbor violations using its deceptive trade practices powers. According to the FTC policy statement on deception, a material representation, omission, or practice that is likely to mislead the consumer is needed for any enforcement activity. Any “act or practice is likely to affect the consumer's conduct or decision with regard to a product or service” is considered material. Additionally, any express claims are presumed material. Furthermore, the Safe Harbor Principles and FAQ 11 of the Safe Harbor clearly state FTC’s jurisdiction to bring actions against Safe Harborites for deceptive trade practices. Therefore, the companies’ express claims that they were self-certified with the Safe Harbor when their certifications had expired are clearly material misrepresentations that would mislead a reasonable consumer under the circumstances.

The recent enforcement actions in this area are certainly signs of FTC’s willingness to bring enforcement actions in this area in the future. The recent changes to the list showing organizations certified to the Safe Harbor is possibly another indication of things to come. International Trade Administration website used to host the Safe Harbor list. Recently, it has moved to the Department of Commerce’s export.gov/safeharbor/ website, which is where all other Safe Harbor related documents used to reside. The list now more readily identifies non-compliant companies.

The FTC is likely to bring more enforcement actions against companies in the Safe Harbor list that represent that they are certified but have not in fact kept up their certifications with the Department of Commerce. The FTC is also likely to expand its enforcement activities into more substantive issues related to the privacy practices of Safe Harborites in the near future. Therefore, Safe Harborites intending to leave the Safe Harbor should either promptly renew their certifications or remove any public representation that they are certified with the Safe Harbor. This should help alleviate any FTC deceptive trade practices claims. However, note that obligations undertaken by a Safe Harborite do not disappear with the organization leaving the Safe Harbor. Therefore, removing such representations only resolves part of the issues involved in joining then leaving the Safe Harbor.

Read More...

FTC Obtains TRO Against E-Commerce Merchant Falsely Claiming Safe Harbor Certification

By Mehmet Munur

On July 31, the Federal Trade Commission obtained a temporary restraining order against a California website for deceptively claiming to be a member of the EU Safe Harbor administered by the Department of Commerce. This is the first FTC enforcement involving the FTC’s authority to prosecute violations involving EU Safe Harbor and FTC’s authority to prosecute an American company for deception of foreign consumers.

According to the FTC complaint, the defendants posed as UK websites, did not deliver on minimal consumer protections, and lied about being in the Safe Harbor. Balls of Kryptonite, LLC, is based out of Pasadena, California. However, it operates under www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, states prices in pound sterling, and referred to UK competitors and Royal Mail. The website did not specifically state its location, though such a disclosure is required under the Distance Selling Directive. Therefore, the FTC inferred that the websites advertised and sold consumer electronics products to consumers in the UK “under the pretext of being located within the UK.”

The websites shipped products from the US to the UK. Customers also had to pay substantial customs duties and import taxes. Some of these products were incompatible with the UK power grid. The websites also stated that the products would be covered under warranty. The products were not designed for distribution in the UK and, therefore, were not covered by warranty. Further, consumers were not allowed to cancel their orders, charged 50% restocking fees, and items were not shipped for weeks.

Finally, the defendants advertised that they self-certified with the Department of Commerce for the EU Safe Harbor when they were not. However, this false statement defies all logic. It does not help the defendants establish that they are a website based in the UK. A corporation must have a US establishment that receives personal information from the EU/EEA before it can certify to the Safe Harbor. Maybe this was the company’s way of stating that it was transferring data to the US. Maybe, the website owner believed that the Safe Harbor deception would make their website more attractive to UK customers. Nonetheless, Balls of Kryptonite is likely subject to this enforcement not due to inadequate legal advice, but lack of legal advice.

Nevertheless, the temporary restraining order resulting from the enforcement action makes an interesting example due to its scope. The TRO enjoins the defendants from misrepresenting “[t]he extent to which Defendants are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.” Thus, the FTC enjoined the defendants from misrepresenting that they are members of any third-party privacy program. In effect, the FTC is recognizing that the health of the Safe Harbor Program is intricately linked to the third-party programs. The Safe Harbor Enforcement Principle requires an independent dispute resolution mechanism that TRUSTe’s EU Safe Harbor Program and BBB EU Safe Harbor offer. However, one could argue that third-party privacy seals programs should enforce their own marks and that the FTC should focus on the Safe Harbor program exclusively.

The enforcement action sets a much-needed precedent for false claims related to the Safe Harbor program. Nevertheless, the majority of the complaint was based on false statements concerning the shipment of goods. The Safe Harbor issue appears to be tacked onto the other issues. The Safe Harbor program has been in existence for nearly a decade and studies by the European Commission in 2004 and others in 2008 have argued that enforcement has been lax. One would hope that, in the future, the FTC would bring section five claims exclusively in the data protection realm in addition to mixed consumer protection claims.

Read More...

Sears Settles with FTC on Information Tracking

By Mehmet Munur

FTC entered into a settlement agreement with Sears in June related to its failure to provide adequate notice to its customers during the sign up process for an information collection software. This settlement highlights the need to create accurate highlight notices for privacy policies.

Sears invited customers visiting the Sears.com website and kmart.com websites to join the My SHC Community. Sears paid the customers $10 to sign up to participate in the community. Customers downloaded and installed a “research” software for participating in the community after being presented with the privacy policy and a license agreement.

Sears mentioned on its marketing material that the software would confidentially track online browsing. However, the FTC charged that the software allowed Sears to monitor consumer’s online sessions including shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. FTC appears to be concerned that Sears’ “Privacy Statement and User License Agreement” did not discuss the full scale of the data mining until the 75th line of the agreement. The agreement stated:

Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.

Therefore, the FTC argued, burying the scope of this information collection activity in the 75th line of legal agreement did not adequately disclose the fact that the consumer was allowing the tracking for all of his internet activity. This, the FTC concluded, was a deceptive practice under section 5 of the FTC act.

In hindsight, Sears probably did not need all of the data that it gather in the first place. The competitive advantage that Sears may gain in collecting and processing such sensitive financial and health data is likely to be outweighed by the disadvantages in maintaining the confidentiality of such sensitive information and the public relations problems that follow its disclosure. Even if Sears could in fact use this data, installation of software that practically works like a commercial key logger likely requires specific and unambiguous consent.

In light of the Sears settlement, corporations should consider building several layers of privacy policies. Article 29 Working Party and the UK ICO have proposed simplifying privacy policies to provide better notice to data subjects. Such a scheme would require that corporations build and use highlights notices that provide a summary of privacy notices that then provides links to the full privacy policy.

In fact, some corporations, such as Google and Microsoft, have started using the A29WP approach in their privacy policies. Note that the users would still be bound to the full privacy policy with such an approach. Therefore, this highlights notice makes privacy policies easy to understand for consumers while maintaining the detailed approach of a privacy policy. Possibly, Sears could have used such a privacy policy on its website and more accurately described its information collection.

Read More...

Stimulus Bill Requires Data Breach Notification Under HIPAA and Signals Broader Enforcement

by Mehmet Munur

The American Recovery and Reinvestment Act that President Obama signed into law on February 17, 2009 includes wide reaching data breach notification provisions for entities covered by the Health Insurance Portability and Accountability Act and organizations servicing those entities. It also has privacy provisions related to sales of protected health information, marketing, fines, and enforcement. The Act is likely to increase joint enforcement activities by the Federal Trade Commission and the Department of Health and Human Services Office for Civil Rights. Such enforcement will likely result in settlements similar to the CVS settlement on February 18, 2009 that arose out of improper disposal of protected health information.

I. Data Breach Notification

The Act places notification obligations on covered entities, business associates, and vendors of personal health records for breaches of protected health information as well as required updates to contracts between covered entities and business associates.

A. Covered Entities

Generally speaking and without using the defined terms of the Act, an entity’s duty to notify arises when it has a breach involving unencrypted personal health information that it processes. The entity must then notify, the individual, the media, and the Secretary of the DHHS within 60 days of finding out about the breach, so long as the law enforcement exception does not apply. In creating these obligations, the Act defines the terms breach, electronic health record, personal health record, and vendors, but retains the earlier definitions of covered entities and business associates from HIPAA. The Act and the obligation to notify will likely become effective for breaches discovered 210 days from its enactment.

A breach is the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. The term has several narrow exceptions related to inadvertent disclosures to authorized users. Most importantly, a breach is deemed to have been discovered on the first date on which it is known or reasonably should have been known to have occurred.

Covered entities still refer to health plans, health care clearinghouses, or health care providers who transmit any health information in electronic form. Processing, while not a term used in the language of the Act, includes access, maintenance, retention, modification, storage, destruction, using, or disclosing.

Unencrypted personal health information refers to the defined term unsecured protected healthcare information. The portion of term referring to protected healthcare information retains its definition under HIPAA and means individually identifiable health information that is either transmitted by electronic media or maintained in electronic media, or both. Unsecured, on the other hand has two meanings. The Secretary should issue guidance specifying the technologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals within 60 days. If he does not, then that technology will be a technology developed or endorsed by the American National Standards Institute. Though the Act does not specify that technology, it will probably be the Advanced Encryption Standard used by the Federal government for sensitive documents.

Notification takes 3 forms: individual, media, and the DHHS. Notification must be made without unreasonable delay and within 60 days after its discovery. However, the law enforcement exception can delay such notification if the entity receives and documents a written or oral statement from the DHHS. The burden to prove that the notification was performed according to the Act lies with the covered entity.

Entities must notify each individual whose unsecured protected health information has been, or is reasonably believed by the entity to have been accessed, acquired, or disclosed during the breach. This individual notice may be by first class mail at the last known address of the individual or by email if that is the preference of the individual. If the entity has more than 10 individuals with insufficient or out of date contact information, then it is required to place a conspicuous post on its web page or notice in major print or broadcast media for a period of time that the Secretary specifies. The entity may also notify by phone due to possible imminent misuse of the information.

The entity must notify prominent media outlets serving a state or jurisdiction if the information of more than 500 residents are reasonably believed to have been subject to the breach. The entity must also notify the Secretary. If the breach involves more than 500 individuals, the entity must notify immediately, whereas breaches involving less than 500 individuals may be submitted in an annual log. The Secretary is then required to post breaches involving more than 500 individuals on its website.

The Act delineates the contents of the notifications. They must include a brief description of the events, the date of the events, a description of the types of information involved, the steps the individuals should take to protect themselves from any harm that may result, and procedures for contacting the entity through a toll-free phone number, email address, or website.

The Secretary must also pass interim final regulations on breach notification within 180 days. These regulations will apply to breaches discovered after 30 days after their enactment. These regulations will certainly require covered entities to craft breach response procedures and implement them promptly.

B. Business Associates

Business associates that service covered entities under HIPAA have an obligation to notify the covered entities in the event of a breach. Business associates are now also subject to the same security procedures that covered entities are under HIPAA and these requirements must also be incorporated in their agreements.

The definition of a business associate has not changed with the Act. Business associates still refer to persons that perform or assist any activity involving the use or disclosure of individually identifiable health information or persons performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity. The Act states that the business associates need to notify the covered entities who must then notify the individuals. However, the requirements related to timeliness and the discovery of the breach are the same.

Covered entities will need to amend their contracts with business associates to reflect the provisions of the Act. These amendments must include administrative safeguards, physical safeguards, technical safeguards, and policies and procedures and documentation requirements promulgated by the DHHS. Business associates that receive protected health information may be subject to fines for wrongful disclosures of protected health information. Prior to the Act, HIPAA only made business associates liable to the covered entity for contract breaches.

The Act also contains a whistle blowing provision for business entities and the covered entities they serve. Prior HIPAA regulations stated that a covered entity was non-compliant if it knew of a business associate’s activity that constituted a material breach of the associate’s contractual obligations and did not take reasonable steps to cure them. If the business associate did not cure the problems, the covered entity was required to terminate the contract or, if that was not feasible, inform the secretary. Now, the Act requires that business entities have the same whistle blowing responsibility towards the covered entities they service. Failure to do so is a violation of the Act.

C. Vendors and Non-HIPAA Covered Entities

The breach notification standards also apply to a new kind of entity called vendors under the Act. These are entities other than covered entities that offer or maintain personal health records. A personal health record is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. Google Health and Microsoft HealthVault are examples of such entities.

A vendor’s obligations under the Act are similar to the covered entities’ and business associates’ responsibilities. Vendors must notify individuals and the Federal Trade Commission, instead of the DHHS, of data breaches. The FTC then notifies the DHHS. The methods and timeliness of these disclosures and the definitions of breach and unsecured protected health information are almost identical to the methods and timeliness that covered entities. Violation of this duty to notify is considered an unfair and deceptive trade practice under the FTC Act. Third party services providers that service vendors have an obligation to notify their vendors of any breaches they experience, as well.

The FTC is required to pass regulations related to vendors covered under the Act within 180 days. If, however, Congress passes breach notification laws that directly apply to vendors, then the breach notification provisions of the Act will be overridden. While this provision may be good housekeeping to prevent dual breach notification laws for vendors, it may also be a sign of further breach notification legislation to come from Congress.

II. Marketing, Sale of Protected Healthcare Information, and the Minimum Necessary Standard

The Act has several provisions that restrict marketing activities and create greater privacy protections for individuals. Covered entities will need to revise their privacy practices to accommodate their new responsibilities.

The Act reduces the amount of marketing activities allowed under HIPAA. Communication by covered entities or business associates that is about a product or service and that encourages recipients to purchase or use the product or service are not considered a health care operation under HIPAA unless they are made 1) to describe a health-related product or service, 2) for treatment of the individual, or 3) for case management or care coordination for the individual. If, however, the covered entity or business associate receives direct or indirect payment in exchange for the communication, then the communication is considered marketing. On the other hand, such a communications will still be considered to be a healthcare operation if it describes a drug that the recipient is using and the payment received is reasonable. The Secretary is charged with defining the amount of reasonable compensation through regulations. However, such communication must still be made with a valid authorization. The Act also prohibits the sale of protected health information without a valid authorization. The regulations for these authorization do not change under the Act.

The Act now makes it mandatory to comply with an individual’s request that the entity restrict the use and disclosure of protected health information about the individual to carrying out treatment, payment, or healthcare operations. Prior HIPAA regulations did not require covered entities to agree to such restrictions.

Individuals also have the right to access protected health information in electronic format if the entity maintains that information. The fee for such access cannot exceed labor costs in responding to the request.

Under HIPAA, an entity was required to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of that information. The Act further reduces the amount of data in circulation by requiring the Secretary to promulgate regulations based on the limited data set concept that excludes identifiers such as names, addresses, social security numbers, email addresses and similar information to the extent practicable. Such changes will certainly require that covered entities revisit their privacy practices.

III. Fines and Enforcement

The Act also promotes enhanced enforcement through required fines and investigations.

Violations due to willful neglect now require a fine by the Secretary. Furthermore, the Secretary now has an obligation to investigate any complaint of a violation of the Act if a preliminary investigation of the facts of the complaint indicate a possible violation due to willful neglect. Most importantly, the Act requires that any civil monetary fine or settlement fund collected relating to privacy and security be transferred to the Office for Civil Rights of the DHHS. This provision will likely create a positive feedback loop where enforcement will result in fines and settlements that will give the OCR more funds to carry out more investigations. Additionally, individuals harmed by such breaches may also receive a percentage of the funds received by the OCR, but this amount will be determined three years from the date of the enactment. The Act also creates four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are effective immediately.

The law can also be enforced by the State Attorneys General. If there is reason to believe that the interests of one or more of the residents of the State is or could be threatened, then the AGs may bring action in federal district court. The courts can, in their discretion, award attorneys fees to the AGs that bring action in federal district courts. However, such state action is limited to circumstances where the Secretary is not already bringing an action. Considering the availability of attorneys fees and the public record of breaches, it is likely that this provision will increase enforcement in cases where the FTC or the DHHS decline enforcement.

IV. Joint Enforcement and CVS’s $2.25 million DHHS Fine

The day after the Act was signed into law, the FTC and the DHHS announced separate settlements with the nationwide pharmacy chain CVS arising out of improper disposal of sensitive personal information. The settlement is significant because it is the first joint investigation by the FTC and the DHHS, involves a health provider, and employee data. Moreover, due to the language of the Act and the cooperation required between the two organizations, it is likely to be a sign of more joint investigations to come.

According to the FTC complaint, during 2006 and 2007 television stations found evidence of CVS’s disposal of names, addresses, dates of birth, bank account numbers, physicians’ names, insurance account numbers and other personal information in unsecured dumpsters in at least 15 cities. Seizing on CVS’s statements that “nothing is more central to our operations than maintaining the privacy of your health information” and that CVS took “this responsibility very seriously,” the FTC argued that CVS’s representations in its notice of privacy practices were false and misleading, likely to cause substantial injury to consumers; therefore, an unfair act or practice. As a result, CVS settled with the FTC and the DHHS in separate settlement agreements.

The FTC settlement is very similar to the other settlements that FTC reached with ChoicePoint, DSW, and TJ Maxx. CVS must create a comprehensive information security program, designate an accountable employee for that program, identify risks, and receive third party assessments of its security procedures for the next 20 years. It is the 24th FTC case that challenges a company’s failure to implement reasonable information security practices.

The DHHS settlement is similar but probably more significant. Under the resolution agreement with the OCR, CVS agreed to pay $2.25 million and implement a robust corrective action plan that includes safeguards for disposal, employee training, and employee sanctions for noncompliance. CVS must comply with this action plan for the next three years, followed by the FTC settlement’s two decade long program. The DHHS Office of Civil Rights press release on the resolution agreement highlights the OCR’s intention to make an example of CVS and its “commitment to strong enforcement of HIPAA Privacy Rule . . . [intended to] spur other health organizations to examine and improve their privacy protections.” The DHHS settlement is the second one of its kind. The previous resolution agreement was with Providence Health Information for $100,000. While the OCR conducts investigations and allows entities to correct HIPAA problems, it had not issued fines of this magnitude.

Vendor breach notifications under the Act will likely spur closer cooperation between the two agencies. OCR’s new obligation to assess fines, conduct investigations in certain cases, and its ability to keep the fines it issues will result in OCR having more resources and incentives to enforce the law. This positive feedback loop will likely result in the FTC and the OCR enforcing the requirements of HIPAA and publicizing them in the future. Therefore, the CVS settlement should provide an incentive for entities of all sizes to satisfy not only their current HIPAA obligations but also their future breach notification requirements.

V. Conclusion

The Recovery and Reinvestment Act creates broad data breach notification requirements for covered entities, business associates, and vendors on a federal level under HIPAA. These entities will need to abide by the regulations that the Secretary of the DHHS will promulgate in the next six months. Further, they will need to abide by the breach notification rules or face fines and settlements by both the FTC and the OCR. Therefore, affected organizations should act quickly to update their breach response plans, revise their privacy policies, stop sales of protected health information without appropriate authorization, and update business associate agreements.

Read More...

Article 29 Working Party Releases 11th Annual Report

By Mehmet Munur

On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.

While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.

The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.

The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”

The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”

The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.

The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.

The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.

In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.

Read More...