Proud sponsor of 1410 Q Street: DCs Innovation Hot Spot!
SLRNO wishes You Happy Holidays and Best Wishes for the New Year!
& INFORMATION LAW UPDATE
Mobile applications have made a splashy debut across global platforms and will be a driver in the creation of a vibrant new economy. Consumers, business and other enterprises are able to access and download or deploy Apps over mobile devices, social networking platforms, web sites and browsers for entertainment and to perform a wide variety of functions and transactions. As a result, the App is replacing the website as we know it and spawning a thriving new ecosystem.
This ecosystem is currently inhabited by several key players, for example: the Venture Capital community that is funding the developers of new digital goods and services; device manufacturers, telecommunications carriers and platform service providers over which App developers make their products available; and cloud service providers that store digital products. All of these sectors are competing to secure their niche and monetize their products or services in the nascent App economy. To do so, each must identify and overcome a number of important challenges. For example, developers must address discoverability and distribution; carriers must decide how best to leverage ownership in their network infrastructure and longstanding customer relationships; and publishers and other content providers need to predict how Apps will be accessed in the future -- for example, through an App store or web browser.
Almost certainly, however, all of these business sectors will have to face a common challenge in the near future -- the looming governmental response (by US or International authorities, or both) to a perceived increase in the risk to individual and enterprise privacy posed by the collection, retention sharing and use of personal data when an App is accessed or downloaded. This perception of risk will probably escalate when technology enables individual data that is captured during the process of accessing and downloading an App (and perhaps embedded in Apps) to be transferred from one device to another in real time with a persons movements. Some current or reasonably foreseeable examples include data about an individuals home energy consumption captured in a smart grid App; personal health data captured in an individuals electronic health record App; sales information captured in a companys product management App; and an individuals location captured in a social media App -- traveling with an individual from Smartphone, I-pod, tablet, or e-reader to vehicle, television or game console.
The privacy concerns posed by these and similar scenarios raise a number of interrelated questions, including: (1) What is the appropriate framework for managing and securing personal information? (2) Which entities in the business chain should bear legal responsibility for protecting privacy? (3) What tools should be given to users to manage their data? and (4) Whose laws and regulations should govern in the global marketplace?
In the US, it may be tempting to look to the existing approach for protecting privacy -- the linchpin of which has been fair information principles (FIPs) -- to predict a similar approach to privacy protection in the App economy. But the FIPs approach was implemented at a time when policymakers may not have perceived the extent, pace or global reach of technological innovation, the rapidly evolving methods for collecting personal data or commercial uses of data, or the advent of location- based technologies and services. In the current climate, policymakers might conclude that something more than a FIPs approach is required.
The FIPs framework currently operates alongside long-standing privacy laws and regulations that are both broad-based (e.g., the Telecommunications Consumer Privacy Act, (TCPA) the Stored Communications Act, the Privacy Act of 1974, and the Childrens Online Privacy Protection Act), and sector-specific laws (e.g., the FCCs Customer Premises Equipment Rules, Cable Communications Act of 1984, the Health Insurance Patient Portability Act, Graham-Leach-Bliley Act, and Fair Credit Reporting Act). A common denominator of many of these laws is that they generally permit businesses to share customers personal information with affiliates. But in the App ecosystem, legally sufficient affiliate relationships may be less likely to exist. For example, a federal appeals court applying the TCPA to unsolicited commercial text messages recently concluded that the entry into a contractual relationship for a business purpose did not confer affiliate status within the meaning of the statute.
In the App economy, data collection may be more likely to occur when unaffiliated and distinct businesses interact with users at various points along the business chain. For example, developers might collect customer data through their software applications; platforms over which Apps may be accessed and downloaded may collect data independent of the App developer; ISPs may collect data when a user access and downloads an App over the carrier network; and mobile and other devices can collect data during an Apps use. Users may not understand who among these entities may be accessing their data. Regulators are starting to examine these scenarios to ascertain who should bear the risk, including legal obligations involving notice, consent, and safeguarding data.
Recent court cases reveal the inability of the law to keep pace with innovation, and illustrate the difficulty of applying dated laws to new and emerging technologies. Some federal courts have explicitly refrained from making sweeping privacy rulings in the absence of better information about the technology at issue and behavioral practices regarding use. Likewise, regulators in some instances have refrained from acting to create new rules for emerging online services to avoid impeding innovation. For example, after investigating online behavioral advertising practices, broader online privacy issues arising from social media and mobile communications, and the mobile marketplace in general, the FTC issued guidelines and reports, but fell short of calling upon Congress to enact new laws.
Experience demonstrates that even the most sophisticated, forward looking laws may not embody the kind of flexibility required to keep pace with technology innovation. Outdated approaches to protecting privacy in the App marketplace could not only prove cumbersome, but could stymie innovation at a time when the industry is still in its relative infancy.
One alternative for protecting privacy without inhibiting innovation would be to encourage government support for industry standards, best practices and self regulation that integrate a FIPs approach. Industry standards and best practices that are informed by existing rules and guidelines could be more readily modified to address privacy and information management or security concerns with the emergence of new devices, products and technologies. Self-regulation would also be beneficial to a fundamental segment of the App economy -- the App developers, many of whom have no experience with government regulation. Best practices and self-regulation could ensure the incorporation of privacy protections at the earliest stages of product development, an approach that regulators are already on record as promoting -- most recently in an FTC Staff draft privacy report.1 Integrating long established FIPs into industry self-regulation would bestow a familiar and tested framework on privacy protection to which all businesses operating in the App economy might be more likely to adhere. Finally, regulators already have powerful enforcement tools at their disposal that they can use to take action against bad actors.
The App economy is still in its very early stages. Proactively addressing privacy concerns through industry standards, best practices and self-regulation could minimize business and legal risk, instill confidence in consumers, and avoid potentially harmful regulation.
1Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policymakers, released December 1, 2010, available at: http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
Federal Trade Commission Releases Consumer Privacy Report
The FTC is accepting public comments on the report through January 31, 2011 and plans to issue a final report later in the year.
Given the FTCs limited rulemaking authority, Congressional action will be required to implement many of the reports recommendations, including a Do Not Track registry for web- based marketing similar to the Do Not Call registry for telemarketers. FTC Chairman Jon Liebowitz first floated the concept during Congressional testimony in July. According to the report, a Do Not Track mechanism would likely take the form of a persistent identifier on consumers browsers, similar to a cookie, to enable users to choose whether to allow the collection of data regarding their online searching and browsing activities.
In addition, the report:
Chairman Liebowitz emphasized in public remarks accompanying the reports release that the FTC will continue using its enforcement authority to take action against companies that cross the line to violate consumer privacy, particularly in instances involving young children and teens. (The FTC is in the midst of a separate proceeding to review the Childrens Online Privacy Protection Act Rule).
It is unlikely that this report will result in an immediate change in the law or existing regulation even in the event of renewed Congressional interest in expanding the FTCs rulemaking authority. Nevertheless, the reports release offers a useful roadmap to business for minimizing the risk of an FTC enforcement action. In addition, the report comes at a time of heightened focus on privacy concerns by regulators and lawmakers in many quarters. The FCC National Broadband plan reveals the FCCs interest in ensuring that privacy concerns do not create obstacles to the adoption of broadband or cloud computing services. The House Subcommittee on Consumer Protection held a hearing to address privacy concerns the day after the report was released. The release of a US Commerce Department report that addresses online privacy is imminent.
If adopted, the FTCs report could require businesses to significantly modify current privacy and data security policies. Now is the time to review current data collection, retention, sharing and use practices.
The report can be viewed at: http://www.ftc.gov/Os/2010/12/101201privacyreport.pdf.
Legislation & the 112th Congress
That said, Republicans and Democrats have already indicated that protecting consumer privacy will not be abandoned in the 112th Congress. Efforts will continue to focus on how to create an appropriate legal framework for regulating the online and off line data collection, sharing and use practices of companies doing business in the US. A central tension will involve whether to simply codify existing industry self-regulatory programs or more broadly define an appropriate role for the federal government, and spell out specific measures for protecting consumers privacy in the global online marketplace. Any effort to expand the federal governments role will likely be limited to the following areas: 1) consumer privacy/childrens online safety, 2) cyber security, 3) Electronic Communications Privacy Act (ECPA) reform, and 4) electronic health record privacy.
With this in mind, here is what can be expected:
Regulatory Initiatives in Brief.
Any legislative preview would be incomplete without noting related federal agency initiatives. Businesses should expect that federal agencies will continue to be actively engaged in privacy and data security issues. The FTC will continue to play an important role in protecting consumer privacy, and the Department of Commerce report can be expected to inform consideration of policy changes.
Internet Service Providers & Privacy Regulation: Stay Tuned
The Federal Communications Commission (FCC) has traditionally regulated the common carrier activities of Broadband ISPs, including imposing consumer protection obligations through longstanding Customer Proprietary Network Information (CPNI) rules. The FCC continues to enforce these rules, imposing significant fines for non-compliance. In addition, the agency is asserting a role in cyber security policy initiatives, including evaluating vulnerabilities that would expose the communications infrastructure to cyber attacks and appropriate responses. A significant aspect of the FCCs involvement in cyber security will involve coordinating with other federal agencies, including the NSA and Department of Homeland Security, industry and other stakeholders to address privacy and data security issues posed by proposed cyber security countermeasures.
Tasked with broad consumer protection powers, including enforcement powers, the Federal Trade Commission (FTC) plays an active role in protecting consumer privacy. The agency has used its enforcement authority to initiate a number of high-profile enforcement actions against commercial website operators and other online service providers. It has also issued guidelines for behavioral advertising, recently released a comprehensive report on consumer privacy with numerous policy recommendations, and is in the midst of reviewing the Childrens Online Privacy Protection Act rule.
Many broadband ISP providers have historically been beyond the FTCs reach under the Federal Trade Commission Acts common carrier exemption. Under this exemption, broadband ISP services -- if offered as a common carrier service -- are subject to FCC regulation under Title II of the Communications Act.
Over the course of the last decade, however, a number of FCC decisions, including those that classified Broadband Internet access as an information service and removing the requirement that transmission be offered as a telecommunications service on a common carrier basis, significantly weakened the FCCs ability to impose privacy and data security obligations for new broadband ISP services and applications.
In 2009, the FCC sought to reassert jurisdiction over broadband services whether or not offered as non-common or common carriage. The justification for doing so was rejected by the D.C. Circuit in the Comcast case, which involved an appeal of FCC sanctions against the company for allegedly discriminating against classes of service over its network. In response, the FCC appeared poised to reclassify Broadband ISP services as a Title II service. Doing so would have brought Broadband ISP privacy and data collection practices under FCC authority. The agency has all but abandoned that strategy. The telecommunications sector awaits the release of proposed rules that will assert Title I jurisdiction over Broadband ISPs, potentially opening the door for FTC assertion of jurisdiction over broadband ISP data collection security practices.
Apart from these FTC-FCC jurisdictional issues, there are increasing calls from many quarters, including the FCC, to develop a unified approach to privacy protection regulation, doing away with the current compartmentalized, sector-specific approach that is growing increasingly outdated with the roll out of new technologies and products that blur traditional jurisdictional distinctions. For example, the probable ability of ISPs to prioritize certain types of traffic or institute usage-based pricing may raise privacy issues that could fall between jurisdictional gaps. Similarly, the advent of location based services, raises uncertainty about regulatory responsibility for related privacy concerns.
All of this must be viewed in the context of the goals of the FCCs National Broadband Plan. The FCC appears concerned that fears about the increased erosion of privacy and data security protections pose significant obstacles to increased broadband adoption and related services and applications, including cloud computing, mobile patient monitoring and health IT, distance learning and smart grid technologies. The FCC expressed concern that the transfer of personal or sensitive data from local networks and servers to those hosted by remote third parties raises numerous privacy and data security questions.
To further its agenda of promoting broadband adoption and innovation, the FCC has urged Congress to strengthen privacy and data security protections and implement the following recommendations:
The FCC also recommends:
Finally, it should be noted that a number of federal agencies are currently examining privacy, including the Department of Commerce and the National Institute of Standards and Technology. The Department of Commerce will release a report this month following its inquiry into online privacy and innovation. Like the FTC consumer privacy report, the Department of Commerce report is expected to contain findings and recommendations that could be incorporated into new rules affecting broadband ISPs.
These developments are not likely to result in immediate regulation for Broadband ISPs. They do suggest, however, a strong likelihood that broadband ISPs will be confronted with new regulations that could add significant compliance costs to operations. Accordingly, these developments should be closely monitored and opportunities to affect the regulatory environment by filing comments and meeting with policymakers should be identified.
Suggestions for Businesses Thinking About Adopting Social Media
Regulated industries, including the financial services, health care and those subject to certain FTC rules and guidelines, must pay particular attention to uniquely sector-specific laws and regulations -- many of which predate modern communications technologies.
For example, the financial services industry has numerous record keeping requirements, including that companies retain records of their own communications and those of authorized representatives. Some of these rules can apply to communications using social media. The content of these communications typically triggers retention rules. Yet because social media communications are by nature interactive and distributed across the platform, third party postings could be attributable to the company. Questions may also arise about legal custody of those communications, including whether a communication is under the control of the financial services company, the platform provider or other persons. Similar issues can arise for other regulated or unregulated businesses.
Irrespective of whether a business is a regulated or unregulated entity, social media tools are a fact of workplace life. Therefore, businesses should implement policies and procedures to ensure appropriate management of and control over use of social media tools by personnel. An important first step is to create a social media policy.
Before creating a social media policy, a business should: 1) thoroughly evaluate industry-specific laws and regulations; 2) undertake a thoughtful assessment of its workplace culture and operations, including the computing environment and employee use of social media; and 3) have a clear sense of the customers, clients and business partners with whom it wishes to interact and the objectives of those social media interactions.
Businesses may want to consider creating different policies for different social media tools. This approach could involve creating a general social media policy with links to separate policies that apply narrowly to a specific tool. Other businesses may want to consider creating separate internal and external policies to reflect distinct uses.
A social media policy should include a number of important core components. It should:
As noted, technology innovation and use continues to rapidly evolve, creating new means of generating, communicating and distributing information. It is a safe bet that the law will be unable to keep pace with these rapid changes, resulting in some legal, business and regulatory uncertainties. Nevertheless businesses can benefit from social media technologies and minimize risk by formulating carefully considered social media policies followed with appropriate oversight and coordination among departments.
Businesses should keep apprised of changes in the legal or regulatory environment, and undertake a periodic review of their social media policies to reflect these changes, as well as changes to business operations or the use of new communications technologies and tools.
Neuman Discusses Privacy & the Use of Biometrics by Institutions of
|Copyright © 2010 St. Ledger-Roty & Olson, LLP.|