The Lessons of the "Street View" Imbroglio: Know What Data You Collect and Don't Collect Data You Don't Need

Posted by Maryanne Stanganelli on April 25, 2013

The unintended capture of personal data by Google Street View has resulted in a German Data Commissioner imposing a $189,000 fine on Google this Monday. As anyone who has used Google Maps at the street view level knows, Google Street View is a valuable service that captures roads, landscapes, landmarks, buildings—and other activity that happens to be taking place when the Google vehicle collecting the data takes its pictures. But privacy regulators were not happy with the fact that, from 2008 to 2010, the street view vehicles also picked up personal data, such as email addresses and passwords, sent over unsecured Wi-Fi networks as they traversed throughout the globe. 

In Germany, after state prosecutors in Hamburg decided not to press charges against Google in November 2012 on this issue, the Hamburg Commissioner for Data Protection and Freedom of Information picked up the case and on Monday handed down a fine of $189,000 (€ 145,000).  Google maintains that it did not look at or intend to collect the data, and that the company has taken steps against the occurrence of this kind of collection in the future. Accepting Google’s assertion that any violation was unintentional, the fine imposed was less than the maximum amount permitted for negligence-based violations, which is $195,000 (€ 150,000).  However, it is notable that a proposal in the draft EU data protection regulation would give regulators the power to impose higher fines for violations of data protection law —up to 2 percent of a company’s annual sales—if enacted. 

The Hamburg authorities were the first to raise the issue of the collection of the payload data collected by Google’s vehicles, which was then picked up in other jurisdictions.  Last month, Google entered into an agreement with attorneys general from 38 U.S. states and the District of Columbia, agreeing to pay $7 million and launch a data-security education program both internally within the company and externally to the public in resolution of the joint investigation.  As announced by the Connecticut Attorney General in connection with that agreement, Google stated that the collection was limited to fragmented data, that it has since removed the software from its Street View vehicles, and agreed not to collect any additional data by means of those vehicles without notice and consent.

Google’s proactive approach in working with regulators to resolve their concerns has created an outcome that preserves its Street View service, with minimum negative impact on the company, and a positive working relationship with regulators going forward.  But the potential availability of enhanced fines for negligent data protection law violations means that in the future companies may pay a higher price for unintended data protection law violations.

All companies should take the following lessons from the Street View experience – know what data you are collecting and don’t collect more than you need, or you may be creating unnecessary exposure under data collection laws.

Poland Adopts Heavy Penalties for Telcos Using Cookies without Obtaining "Opt-In" Consent

Posted by Maryanne Stanganelli on April 05, 2013

Poland’s Act amending its Telecommunications Law and Certain Other Laws of November 16, 2012, came into effect on March 22, 2013.  The law relates specifically to telecommunications companies, and therefore other sectors such as service providers and third-party advertisers are not affected by the amendment.  With respect to cookies, it implements the EU Cookie Directive and switches the requirement from “opt-out” to “opt-in.”  In other words, consent of the user must be obtained before cookies are stored and accessed.  The penalties for non-compliance can be up to 3% of a company’s annual profits. Informed consent requires disclosure of the purpose of storing and gaining access to cookies and the option of using browser settings to control the access and storing of cookies.  However, the expression of consent may be manifested by leaving the default browser setting as-is. 

The amendment also imposes a breach notification requirement on wherein public telecommunications providers must report to the Polish Inspector General for the Protection of Personal Data (in Poland, this is abbreviated as “GIODO”) within three days if the breach is considered to be incidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.  If the breach has a negative impact on users’ service, those users must be notified as well—also within three days. The Polish Data Inspector General spoke with DataGuidance and indicated that administrative decisions as well as sanctions to companies not in compliance with administrative decisions will take place.  

South Korea Court Opens the Door for Unintentional Data Breach Collective Actions

Posted by Erica Gann Kitaev on March 02, 2013

Authorship Credit:  Nathan A. Schacht

This is a cross blog post with BakerHostetler's class action blog.  For the latest in class action developments, visit classactionlawsuitdefense.com

On February 15, 2013, the Seoul Western District Court in South Korea issued a judgment in a collective consumer action against a South Korean company for a data breach involving personal data in its possession.   Importantly, the unlawful breach at issue in this case was not caused by the company’s intentional misconduct, but instead the company’s carelessness and mismanagement of the personal information in its possession.  This appears to be the first ever judgment abroad rendering such a ruling.

In this landmark decision, the court ruled in favor of 2,882 petitioners who filed a collective action against SK Communications, a telecommunications operator who operates internet sites and search engines.  The judgment resulted in an order requiring SK Communications to pay each petitioner approximately USD 185 for a total award of approximately USD 534,200. 

According to reports about this case, the focus was on SK Communications’ violation of its duty to protect the personal data of its operations’ subscribers, including their names, dates of birth, cell numbers and social security numbers.  Apparently, after an SK Communications security manager completed a project online, the security manager failed to log out of the system and left the computer on overnight.  This oversight left the system open and susceptible to hackers who accessed the system and caused the leak without even having to bypass password protections.  Despite the unintentional conduct and the company utilizing some software and password protections to prevent hacking and the resulting data breaches, the court ruled that the software and protections used were not enough.  In addition, the court concluded that the company’s carelessness and mismanagement of its online operations was substandard and, therefore, unlawful, warranting damages. 

Although the amount of the award in this case is not eye-popping by U.S. standards, the decision indicates a significant shift in the treatment of data breaches and utilizing collective actions to remedy such breaches abroad.  Given that mismanagement and carelessness may lead to large damage awards, international companies must be cautious with the systems and protections it has in place to guard the personal information in its possession.  Even more, international companies should be aware of the trend for remedying data breaches through collective actions abroad, as this decision and the discussion surrounding it indicate that this type of ruling may be just the beginning.  The main lesson to take away from this decision is that governments and courts, even abroad, are cracking down on substandard protections for personal information and breaches resulting from not only intentional misconduct related to breaches, but mismanagement and carelessness.  By not taking this lesson to heart, international companies may face significant and growing collective damages awards in foreign jurisdictions.

For a multi-jurisdictional summary of key requirements of international data privacy laws, see BakerHostetler's International Compendium of Data Privacy Laws.

China Adopts Privacy Legislation Strengthening Online Personal Data Protection

Posted by Erica Gann Kitaev on January 08, 2013

Authorship Credit:  Tina Amin

 

China’s top legislature, the Standing Committee of the National People’s Congress, closed out 2012 with the approval of rules to enhance the protection of online personal information.  The “Decision of the Standing Committee of the National People’s Congress to Strengthen the Protection of Internet Data” (“Decision”), which took effect upon its December 28, 2012 passage, has the same legal effect as law and was enacted to “to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, [and] safeguard national security and social order ....”  Though the Decision’s primary purpose is to protect the personal online information of Chinese citizens, it includes an identity management policy requiring Internet users to use their real names to identify themselves to service providers, including internet or telecommunications operators.

The Decision reflects China’s recent push to address the issue of online personal data protection, and follows a Chinese Ministry of Industry and Information regulation, which took effect in March 2012, requiring Chinese websites to follow stricter rules on user consent to the collection and sharing of their personal data.  Specific regulations regarding the protection of online data include the following:

  • Internet service providers (ISPs), public service units (PSUs), and other organizations that collect or use an individual’s electronic information during business activities must clearly indicate the objectives, methods, and scope of collection and use of information and obtain consent for collection from the data subject.
  • ISPs must strictly safeguard the privacy and strengthen the management of personal digital information. 
  • Chinese citizens have the right to compel an ISP to delete personally identifying or private information about them or to take measures to terminate certain “harassing” activities.  
  • ISPs are required to instantly stop the transmission of illegal information once it is spotted and take relevant measures, including removing the information and saving records, before reporting to supervisory authorities.
  • Organizations and individuals are banned from obtaining personal digital information via theft or other illegal means, and prohibited from selling or illegally providing the information to others.
  • “Supervising Departments” are empowered to take measures to prevent, stop, or punish those who infringe on online privacy, obtain personal digital information through illegal means, or sell or illegally provide information to others, and ISPs are required to give support during investigations.

Violators of the Decision rules are subject to liability including warnings, fines, confiscation of unlawful income, cancellation of permits or cancellation of fines, closure of websites, prohibition of relevant responsible personnel from future engagement in the in the network service business, and other civil, administrative and even criminal punishments.  Violations may also be recorded in the “social credibility files” and be made public. 

Still, questions remain about the implementation of the Decision.  Because the Decision itself is fairly broad and is meant to be more like a set of guiding principles than a law, many of the provisions lack the specificity essential for accurate understanding and compliance.  For example, there is no guidance regarding which governmental department or agency will supervise or enforce the rules.  Time will tell whether or not more implementing rules will clarify some of these ambiguities.

Recent Updates in International Data Privacy Law

Posted by Maryanne Stanganelli on September 04, 2012

EU Information Security Agency Recommends Clear and Broad Interpretation of Data Breach Requirements

On August 27, 2012, the European Network and Information Security Agency (ENISA) issued a paper, “Cyber Incident Reporting in the EU,” which analyzes the current state of EU legislation covering data breaches. It observes that many breaches remain undetected and, even if detected, are not reported to authorities or known to the public. As a result, it finds a lack of transparency into the causes of the incidents of the impact on the users, which poses a challenge for policy makers.

Urging the importance of incident reporting and consistency, the report indicates that a few highly publicized breaches (such as the LinkedIn incident in June 2012 that affected 6.5 million passwords and the Research In Motion, Ltd. incident in October 2011 that caused email outages throughout the world) do not squarely fit into any of the EU regulations covering breaches and notification. The report highlights the importance of discussion among the national authorities and the EC to clarify the scope of legislation and address gaps. It does not urge overhaul of the text of existing laws, but rather stresses a broad interpretation that would account for the evolving landscape of electronic telecommunications. It finds the fact that the European Commission is developing a Cyber Security Strategy as a positive step towards increasing transparency, understanding and prevention.

Data Privacy Law Enacted in the Philippines

President Aquino recently signed into law Republic Act No. 10173: “An Act Protecting Individual Personal Information in Information and Communication Systems in the Government and the Private Sector,” or the Data Privacy Act 2012. It is being said that the law is designed to comply with international data security standards and provide comfort in the security of data belonging to companies outside the Philippines but increasingly handled by companies in the information technology – business processing outsourcing (IT-BPO) sector in the Philippines. The law is based upon the European Data Directive and creates a National Privacy Commission for its enforcement.

Jamaica Envisions Data Protection Act by 2012/2013

Jamaica has announced that it will promulgate its Data Protection Act during this financial year.  The need for the implementation of a data protection law had been discussed within Jamaica for some time, and on July 31, 2012, Hon. Julian Robertson, the Minister of State in the Ministry of Science, Technology, Energy and Mining, made the announcement to the House of Representatives at the 2012/13 Sectoral Debate. As reported by the Jamaica Information Service, here, Mr. Robinson cited the “need for more uniform, robust and clear mandate to protect privacy and personal information” and noted that the law will cover the collection, processing, retaining, use and disclosure of personal information. He also announced that by the 2013/2014 financial year the government will establish an Information and Communication Technology (ICT) Regulator. The regulator will take on some of the functions of authorities and commissions already in place.

Vote on Ground-Breaking Brazilian Internet Bill of Rights Postponed

Posted by Gonzalo Zeballos on August 10, 2012

Internet-rights pundits had been waiting with baited breath for the Brazilian Congress’s vote on a proposed internet bill of rights—the so-called “Marca Civil da Internet.” That vote, which was scheduled for August 8, 2012, was canceled at the last minute without explanation. The proposed bill represents a unique, collaborative effort with the public—whose input was solicited by legislators via the internet—to regulate internet use not by defining prohibited acts, but rather by prescribing affirmative rights for internet users and service providers. The bill’s stated goal is to make the internet more open and transparent by establishing internet neutrality. But the bill is not without its detractors, who claim that its expansive protections for internet service providers regarding content are both a recipe for disaster and in contradiction with existing Brazilian legislation. Regardless of one’s position on the bill, which does enjoy significant popular support, the cancelation of the vote was disappointing to many, who see the proposed legislation as an in important step in defining internet rights. A new date for the vote has yet to be scheduled.

Additional Information:
For the complete text of the proposed legislation click here.

For additional articles on the history and background of the Marca Civil da Internet, click here and here.

France's New Breach Notification Requirements

Posted by Maryanne Stanganelli on June 05, 2012

On May 28, 2012, the French data protection regulator (CNIL) released new guidance on breach notification laws.  The guidance regards a 2011 ordinance that recently came into force on April 1.  Among other things, the ordinance amends existing French data protection law (Law on Information Technology and Liberties (78-17 of 1978)) to reflect the EU e-Privacy Directive’s (2009/136/EC) breach notification requirement for ISPs and others.

The Guidance provides that the ordinance applies to e-communication service providers, including ISPs and mobile phone operators, that are registered with the French Authority for Regulation of Electronic Communications and Posts (ARCEP).  It does not yet apply to online banks, e-commerce sites or other “information society” services. 

It defines a violation under the ordinance, and in doing so states that that malicious intent is but one possible scenario where the violation may occur.  It also sets out a few examples of where a violation may occur:  an intrusion into the customer database of an ISP, a confidential e-mail sent in error, and a mobile phone operator’s system making available to others the credit card information of subscribers that have ordered phones.  However, according to the guidance, a computer virus on the personal computer of a user and not linked to the ISP would not constitute a violation.  Neither would the theft of a human resources database as it does not relate to the providing of the e-communication service to the public.

The guidance sets out a layered process for notification.  First, where a violation occurs, regardless of its severity, CNIL must be notified without delay by letter setting out certain details of the breach.  As far as notifying individuals, the company must assess the potential damage from the breach (considering, for example, theft or identify fraud or significant humiliation or damage to reputation) and whether it has applied the technological protection measures required, such as effective encryption, to determine whether to notify individuals in the first instance.  Companies do not have to notify individuals where “adequate” measures have been taken.  However, the guidance notes that encryption is not effective where the key is stolen or otherwise compromised. 

Second, CNIL will evaluate the breach and measures. If the breach is serious, CNIL can order a company to notify users and will do so within a month.  However, CNIL has two months to evaluate the corrective measures taken by a company.  If CNIL does not respond, the company must immediately notify its subscribers regarding the breach.  The guidance sets out the details that must be included in the notification to subscribers: the nature of the breach, contact details from whom to obtain additional information regarding the breach, and recommended measures to reduce the negative consequences of the breach.  CNIL leaves the method of notification to individuals to the company so long as it can be verified.

Non-compliance with the ordinance can lead to fines of € 300,000 and up to five years imprisonment, as well as CNIL sanctions.  In April, CNIL announced that inspections for compliance with the ordinance are planned for 2012.  Therefore, enforcement of the breach notification rules may follow the publication of this guidance.

One concern that has been raised regarding the ordinance regards the fact that some countries have not yet implemented the breach notification requirements from the 2009 changes to the e-Privacy Directive and others have done so in ways that do not precisely align with the French ordinance.  This will create risk and challenges for mobile phone operators and ISPs where their services run across national borders to individuals in other jurisdictions.

Privacy Across Borders: Concerns Surfacing in Trans-Pacific Partnership

Posted by William J. Weber on May 21, 2012

Opening markets and removing barriers to trade are touted by many in Washington, DC and well beyond as a cornerstone of economic expansion.  In the information age, ensuring the free flow of data across borders, and not simply goods and services, is increasingly important.  But just as problems can arise with differing foreign laws on tobacco, chewing gum or automobiles, so can they present obstacles to the transfer and handling of certain types of data.

The US is currently negotiating an ambitious agreement to enhance trade and investment with eight other nations (Australia, Brunei Darussalam, Chile, Malaysia, New Zealand, Peru, Singapore, and Vietnam), and more waiting in the wings (Japan, Canada, Mexico) called the Trans-Pacific Partnership (TPP). Last summer, the US announced it had tabled an unprecedented proposal in a chapter on e-commerce in the TPP: binding, enforceable language obligating TPP countries not to block the cross-border transfer of data over the Internet, as well as a binding obligation that a TPP country cannot require a company to locate its data servers in its territory as a condition of doing business there.  Other provisions in the e-commerce chapter  according to the Office of the US Trade Representative (USTR), which has yet to publicly release the legal text, address customs duties in the digital environment, authentication of electronic transactions, consumer protection, and treatment of digital products.

The “data flow” provision is important to US social media and internet companies whose services have sometimes been blocked or censored abroad for competitive, political, or other reasons.  Of course data, however defined, is a broad term, and it “flows” in both directions – out of the US and into other TPP countries and vice-versa.  Thus, this provision also has significant implications due to differing national information privacy and data security regimes.  In particular, recent accounts indicate that Australia and New Zealand are concerned about the TPP proposal due to potential conflicts with their laws.  Early this month during Australia’s “Privacy Awareness Week” the government announced it plans to amend its Privacy Act of 1988 this year in several respects, including tightening requirements for sending personal information beyond its borders. The obvious concern, reportedly shared by New Zealand, is whether data transmitted to another TPP country would be subject to laws such as the PATRIOT Act in the US that could breach the privacy of its citizens.  As has been described elsewhere in this blog, the Obama Administration is urging Congress to enact a data privacy bill of rights, prompting the question whether such rights would extend beyond US borders?  It’s a sticky wicket, no doubt.

Companies affected by these issues need to closely follow the ongoing negotiations and consult with the USTR in Washington, DC or during negotiating rounds, the next of which is slated for July 2-10 in San Diego.  Details of trade agreements aren’t generally made publicly available until the entire pact is fully negotiated and more or less agreed to, though some portions of the TPP were leaked last year.

European Commission Proposes Reform to Data Protection Rules

Posted by Erica Gann Kitaev on March 16, 2012

Earlier this year, the European Commission proposed a comprehensive reform to the EU's 1995 data protection rules, with the stated purposes of strengthening online privacy rights and boosting Europe's “digital economy.”

Still rooted in the European concept that privacy in one’s personal data is a human right, the updated EU directive is intended to modernize the principles enshrined in the 1995 Directive to ensure privacy rights in the future.  The suggested reforms include legislative proposals, including a regulation setting out a general EU framework for data protection.

According to the press release announcing the reforms, key changes include:

  • A single set of rules on data protection, valid across the EU, with unnecessary administrative requirements, such as notification requirements for companies, removed;
  • A strengthening of independent national data protection authorities, including granting them the power to issue fines to companies that violate EU data protection rules, in order to improve enforcement of the EU rules;
  • Increased responsibility and accountability for those processing personal data, including almost immediate breach notification requirements to supervisory authorities for “serious” breaches;
  • Organizations will be required to deal with a single national data protection authority in the EU country where they have their main establishment;
  • Clarification that wherever consent is required for data to be processed, it must be explicit rather than assumed;
  • A right of data portability to make it easier to transfer personal data from one service provider to another;
  • A “right to be forgotten” that will allow people to delete their data if there are no legitimate grounds for retaining it; and
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.

While the Commission's proposals will not have an immediate impact – they must be passed on to the European Parliament and EU Member States for discussion and will take effect two years after they have been adopted – there can be little doubt that privacy and online security will be a hot topic in 2012 and beyond. The full proposed Directive may be seen here.

Strategies for Compliance with EU "Cookies" Directive

Posted by Gerald Ferguson on January 23, 2012

Reports of the demise of Internet innovation in the UK, as a result of the UK’s implementation last May of the new European Directive governing the use of "cookies" , were greatly exaggerated. That said, the impact of the Cookies Directive was delayed when the UK Information Privacy Office ("IPO") announced that it would abstain from enforcement of the Cookies Directive for a year, in order to give website operators an opportunity to adapt to the new requirement that (with some specific exceptions) website operators must obtain express consent before placing a "cookie" (a small text file that can be used to identify a device and track its activity) on a user's device. Given the almost universal use of cookies to enhance functioning and user experience on websites, critics have complained that compliance with the Cookie Directive will result in an Internet slowed to a crawl by a proliferation of pop-up boxes seeking consent every time cookies are deployed.

The May 2012, deadline for commencing enforcement draws ever closer. Any website operator with a significant user base in Europe should at this point be developing a strategy for compliance. If you have a substantial Internet presence in Europe, and are ignoring the Cookie Directive and hoping it goes away, you do so at your peril. In a Guidance issued last month, the ICO warned that companies disregarding the Cookie Directive should "be assured" that, after May 26, 2012, the ICO will be enforcing compliance.

The ICO's website offers one example what compliance with the EU Cookie Directive might involve. When you first access the site, you see a boxed message at the top of the page stating:

The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

Below this statement, users are asked to check a box next to the statement: "I accept cookies from this site."

If you click on the "Privacy Notice" referred to in the disclaimer, you are directed to a chart that: (i) lists 8 different types of cookies employed the ICO site, (ii) provides detailed descriptions as to when and how these cookies are used, and (iii) provides links where you can obtain more information about these cookies.

We are not saying that your website must imitate what the ICO has done. In its recent Guidance, the ICO made it clear that it was not advocating one approach for every website or that it was expecting perfect compliance by May 26, 2012. But the ICO also made it clear that if it receives complaints, or is otherwise investigating a site, it will expect the website operator to be able to identify the steps that the website had taken towards compliance with the Cookie Directive.

In order to have a good answer to this question if the ICO comes calling, we recommend the following:

  1. Examine whether there are ways in which your privacy policy can more specifically identify the different types of cookies employed and whether you can better explain when and why they are used.
  2. Examine the feasibility of incorporating an express "opt-in box" to your use of cookies into the architecture of your website, and the extent that such a box would interfere with the user experience.
  3. Pay attention to how peer websites are disclosing their cookie practices—particularly over the next few months as companies prepare for the May 26th enforcement deadline. You don't want to be the only website in your industry that has failed to adopt disclosure practices which have become an industry standard.

Outsourcing to India: Privacy Law Clarified

Posted by Peter Brown on December 07, 2011

India’s $41 billion dollar outsourcing industry and its clients can breathe a sigh of relief; the Indian Government has issued an official clarification concerning their new broad privacy regulations.

As noted in an earlier blog, in April 2011, India adopted new privacy rules under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules are applicable to all organizations that collect and use sensitive personal data and information in India. These rules seemed to have a broad impact on India’s outsourcing industry.

The rules appeared to construct limitations on India’s outsourcers in both acquiring and transferring sensitive personal data. On the one hand, companies or their intermediaries appeared to be required to receive written consent from the information provider by letter, fax, or email, regarding the purpose of the use of the data under Rule 5(1) of the Privacy Rules.

Similarly, Rule 6 requires organizations to obtain prior consent of the information provider before transferring sensitive personal data to third parties unless disclosure has already been agreed to by contract or required by law. Further, no organization inside India would be able to transfer sensitive personal data to a third party outside of India unless the transferee ensures the same level of protection as required under the Indian Rules. Sensitive personal data is defined as financial information; passwords; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information.

This combination of likely restrictions proved relatively drastic and potentially burdensome to India’s outsourcing industry. The flow of data between the United States and India has long been unrestricted and largely unregulated. The new Indian Rules appeared more stringent than the existing privacy laws of the United States. To this extent, American companies doing business with India apparently needed to update their privacy practices in order to comply with the new privacy regulations.

At the same time, the rules were impractical. For instance, a requirement of written consent from every foreign citizen whose sensitive personal data moved through India’s enormous collection of call centers and other outsourcing operations would be cumbersome for Indian outsourcers to implement.

In response to industry concerns, the Indian Government has since clarified their recently adopted privacy regulations. India issued an official clarification recently, noting that sensitive personal data sent to India by customers outsourcing information technology work will not be covered by Rules 5 and 6 of the Privacy Rules. Rather, the new privacy rules only apply to Indian companies that collect information from “natural persons.” It is the companies collecting and sending the data, as opposed to the outsourcers, who are responsible for protecting the privacy of the data according to the rules of their respective countries. Therefore, United States companies sending data for processing to Indian outsourcers will be required to follow the privacy laws of the United States, not India.

However, this clarification might not be the last, as some believe Indian outsourcers have received preferential treatment under the Indian Government’s recent explanation. Further, such treatment allegedly violates the spirit of the Information Technology Act, the Act under which the Privacy Rules have been promulgated. Notably, Section 1(2) of the Act states that it applies to “the whole of India and...to any offence or contravention thereunder committed outside India.” For these reasons, the clarification restricting the application of the Privacy Rules to companies or persons located within India could eventually be struck down in court. We will follow the developments in India.

New Indian Privacy Law Impacts U.S. Companies

Posted by Peter Brown on July 29, 2011

In the United States, India is synonymous with outsourced data processing services and customer service call centers for credit card issuers, banks and retailers.  The flow of data between the two countries has been unrestricted and, to a large extent, unregulated.  This has now been changed.

In April 2011, India adopted new privacy regulations known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.   These rules apply to all organizations that collect and use personal data and information in India and are likely to affect any corporation that outsources to India or collects personal information there in its business. 

One of the more important provisions relating to foreign companies is that no organization inside India may transfer sensitive personal data to a third party outside of India unless the transferee ensures the same level of protection that is required by the Indian Rules.  Sensitive personal data is defined as financial information; passwords; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information. 

Therefore, online retailers and other American companies that routinely receive such information from organizations inside India will need to meet Indian privacy standards in order to continue receiving the information.  In addition, because these rules appear to apply even to information gathered about non-Indians, companies which outsource sensitive personal data collection to India will need to ensure that they meet the standards required by these new Indian Rules. 

Because the Indian Rules are in some ways more strict than American and European privacy law, companies doing business in India may need to update their privacy practices in order to comply.  For example, companies that outsource their customer service to India might need to change their practices to explicitly notify callers that their information is being collected and explain why it is being collected.  Additionally, companies that collect information labeled sensitive under Indian law may also need the callers’ consent via mail, fax, or e-mail before collecting any such information. 

Since overseas companies that collect personal information in India may need to update their practices to comply with Indian law, a summary of the new Indian Rules can be found below.  The Rules place some obligations on all information collectors and stricter ones on sensitive information collectors. 

General Obligations

  • Privacy Policy.  Any organization covered by the rule must enact a privacy policy and make it available on its website.  This policy must include a description of the information that is collected, the purpose of collection, to whom the information may be disclosed, and security practices for protecting the information. 
  • Notice and Use.  Organizations must take reasonable steps to ensure that information providers (consumers) know that their information is being collected, the purpose of collection, the recipients of the information, and the name and address of the agencies collecting and retaining the information.  Organizations may only use personal information for the purpose for which it was collected. 
  • Access and Correction.  Information providers must be given the opportunity to have access to their information to review it for accuracy.  Organizations must correct any information found to be inaccurate. 
  • Security.  Organizations are strongly encouraged to have a comprehensive documented information security program and policies that contain managerial, technical, operational, and physical control measures commensurate with the information assets and nature of the business.  In order to escape liability in the event of a breach, the organization must demonstrate that (i) it implemented its security control measures as they are set out in the documentation and (ii) those measures were reasonable security practices.  If an organization has implemented an approved industry code of practice and its compliance has been audited, it is deemed to have complied. 

Specific Obligations for Sensitive Personal Data

  • Limitations on Acquiring Information.  An organization may only collect sensitive personal data from a person if it is necessary in order to provide the person with goods or services.  In addition, the organization must receive written consent from the provider by letter, fax, or e-mail, regarding the purpose of use, and the provider may opt out and withdraw consent at any time.  However, if the information provider opts out, the organization may also cease providing goods and services.  The organization may not retain the information longer than necessary. 
  • Transferring Information.  Unless disclosure has been agreed to by contract or is required by law, organizations need to obtain prior consent of the provider before transferring sensitive personal data to a third party.  Also, no transfer of information may be made overseas unless the overseas party ensures the same level of protection provided for under the Indian Rules.

Are the Cookies Crumbling?

Posted by Gerald Ferguson on May 24, 2011

Although the world did not come to the end on Saturday, as one millennial group had predicted, some in Europe worry that the end is near for European Internet start-ups when the new EU cookie directive goes into effect on May 25, 2011.  The concern is that European-based web sites will become littered with pop-up windows seeking consent to the use of cookies, while sites in the U.S. will continue benefit from cookies without having to get a user’s express consent for every cookies placed on a user’s machine.

And while European-based web sites fear they will bear the brunt of enforcement, U.S.-based website with users in Europe are potentially subject to these rules.

Website operators install cookies (small digital files) on user’s computers to store and retrieve information on a user's activity on the site.  Cookies are an important tool for measuring the appeal of content, improving user services and targeting advertising.   Traditionally, website operators have disclosed their use of cookies on their website privacy policy.  Users were deemed to consent to having cookies installed on their computer in accordance with this posted policy.   As the UK Information Commissioners Office (“ICO”) has explained in recently-issued Guidance, this passive consent is no longer generally permitted under the new EU rules.  With certain limited exceptions, a user must affirmatively “opt in” to accepting cookies before a website can install cookies (or any similar file) on a user’s computer.

The potential fines for violation of the EU cookies rule are high – up to £500,000 in the UK – but it is unclear whether or when EU authorities will commence enforcement of this new rule.  The ICO has said it will delay enforcement to give website operators the time to adjust their practices.  The ICO has also held out the possibility that the ultimate solution will be more advanced web browser technology.  The ICO advocates widespread adoption of web browsers that give users more control over the types of cookies that they allow to be placed on their computer.  But until this technological solution arrives, website operators with users in Europe must confront the question of how and how soon they will bring their sites into compliance with the EU directive.