In a Preliminary Letter of Findings issued yesterday, Canadian Privacy Commissioner Jennifer Stoddart found that Google’s collection of payload data from unencrypted Wi-Fi networks by Google’s Street View cars violated Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Canada’s Office of the Privacy Commissioner (“OPC”) conducted an investigation of Google, including examining the payload data collected from Canadian residents. OPC examiners found that Google captured personal information, such as email addresses, complete email messages, addresses and phone numbers, and included sensitive personal information such as medical information. OPC also found that the error was caused by a design engineer’s “careless error” by failing to follow Google’s design review procedures.
OPC found that by inadvertently collecting the unencrypted Wi-Fi data, Google violated PIPEDA Principles because: (1) it did not have consent of the individuals from whom the personal information was collected (Principle 4.3); (2) it did not identify a purpose for the collection of the data (Principle 4.2); and (3) the collection was not limited to necessary data (Principle 4.4).
As a result of the investigation, Commissioner Stoddart recommended that: (1) Google reexamine and improve employee privacy training; (2) ensure that it has effective procedures to protect privacy and controls to ensure they are followed prior to the launch of any product; (3) designate individuals who are accountable for compliance with Canadian privacy law; and (4) delete the Canadian payload data to the extent it is allowed to do so under Canadian and U.S. laws. The Preliminary Letter of Findings gives Google until February 1, 2011 to comply with these recommendations.
A class action lawsuit was filed on September 16, 2010, alleging that the lead defendant, Ringleader Digital, Inc., and several website operators utilizing Ringleader Digital’s technology have violated the plaintiffs’ privacy rights by illegally tracking individual’s mobile internet activity without their permission. This appears to be the first class action lawsuit involving tracking of mobile devices’ internet activity and is very similar to the series of class action lawsuits filed over the last few months focusing on “Flash cookies" (including Valdez v. Quantcast Corp., White v. Clearspring Technologies, Inc. and La Court v. Specific Media, Inc.), as covered by the Wall Street Journal and the New York Times. (The Flash cookie cases were also covered in the Privacy and Information Security Committee’s July-August and September Updates, materials for which are available to committee members here)
A main point of contention is Ringleader Digital’s use of HTML5. HTML5 is a next-generation open standard currently under development by the World Wide Web Consortium, but it has already been adopted by companies such as Apple instead of Adobe Flash on its iPhone, iPod and iPad products. The HTML5 standard provides website operators the ability to locally store information on a user’s computer or mobile device. The local storage feature provides benefits, such as allowing users to use website features offline, but also allows a website operator to implement “cookie” functionality because large amounts of data regarding a user’s internet history can be stored.
The complaint alleges that Ringleader Digital developed technology, known as Media Stamp™, utilizing HTML5 local storage databases to create the mobile equivalent of a third-party online cookie. The complaint also alleges that the Media Stamp technology assigns users a unique identifying number and allows Ringleader Digital, advertisers, ad agencies and website publishers to create a local HTML5 database to track a mobile device’s internet activities over multiple websites.
The lawsuit relies on similar legal bases as the Flash cookie lawsuits. The main thrust of all claims is that Ringleader Digital and the other defendants violated privacy laws by tracking a mobile device’s internet activity with no disclosure that it was doing so and without authorization. The plaintiffs also allege that the tracking databases created by the defendants would be recreated even after the plaintiffs deliberately tried to remove them, which is similar to the “re-spawning” or “zombie” aspect of Flash cookies.
The claims asserted include violations of the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) and the following California laws: Computer Crime Law (Cal. Penal Code § 502), Consumer Legal Remedies Act (Cal. Civil Code § 1750), Unfair Competition Law (Cal. Bus. & Prof. Code §17200), Invasion of Privacy Act (Cal. Penal Code § 630), common law trespass to personal property, and unjust enrichment.
A copy of the complaint is available here.
The European Union Commission has decided to refer the United Kingdom to the European Union Court of Justice for not fully implementing rules laid down in both Directive 2002/58/EC (the “ePrivacy Directive”) and Directive 95/46/EC (the “Data Protection Directive”). Under European Union law, a Directive is not directly enforceable, but must be implemented by each Member State in its national legislation. A directive is binding, however, as to the result to be achieved.
British Telecom admitted in 2008 that it had carried out in 2006 and 2007 secret testing of Webwise, a behavioral advertising technology developed by Phorm. Webwise tracked and constantly analyzed users’ Internet activity to determine their interests in order to provide them with targeted advertising.
Users complained about what they thought were unlawful interceptions of communications. They complained to the Information Commissioner’s Office (ICO), which is UK’s independent authority on personal data protection, and to the police.
The EU Commission inquired into the UK government action to respond to these complaints. It grew concerned that data protection EU laws protecting the confidentiality of communications by prohibiting interception and surveillance without users’ consent had not been adequately implemented by the UK.
Recital 24 of the ePrivacy Directive states that the use of devices which can be used to gain access and store information located on terminal equipment of users of electronic communications networks is allowed only “for legitimate purposes, with the knowledge of the users concerned.”
Article 5(1) of the ePrivacy Directive requires Member States to ensure, through national legislation, the confidentiality of electronic communications. They must prohibit listening, tapping, storage or other kinds of interception or surveillance of communications, unless the users consent to it.
Under the UK Regulation of Investigatory Powers Act of 2000 (RIPA), it is a crime to intercept communications intentionally. It is legal, however, to intercept a communication if the interceptor has “reasonable grounds for believing” that consent to intercepting has been given.
RIPA thus does not comply, in view of the Commission, with the definition of “data subject’s consent,” set out by article 2(h) of the Data Protection Directive as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Article 7(a) of the Data Protection Directive states that the data subject must have given his consent “unambiguously.”
The Commission also considered that UK law does not comply with EU rules on enforcement by supervisory authorities, as the UK does not have an independent national supervisory authority supervising the interception of communications.
The Commission has the power to commence an infringement proceeding against a Member State which the Commission believes infringes EU law. The Commission opened an infringement proceeding against the UK in April 2009, by sending a letter of formal notice, which is the first stage of an infringement proceeding. The Commission, not satisfied by UK response to the letter of formal notice, moved to the second stage of an infringement proceeding in October 2009 by announcing it would send the UK a reasoned opinion on the matter.
The Commission found the reply to the reasoned opinion unsatisfactory, and referred the case to the Court of Justice this last September. If the Court of Justice establishes an infringement, the UK will be required to take the necessary measures to comply with the judgment.
It will be interesting to follow how the EU Court of Justice will decide this case. Could it be possible that online behavioral advertising programs would be considered unlawful interception of communication, if users do not consent to it?
The issue of Internet users’ consent is hotly debated right now in the UK. Should users consent to cookies being stored their computers? Directive 2009/136/EC, nicknamed the “cookie directive,” entered into force on December 19, 2009, and must be transposed by Member States by May 25, 2011. Recital 66 of the Directive states that “users must be provided with clear and comprehensive information when engaging in any activity which could result in storing or gaining of access [to their equipment].” The new article 5(3) of the ePrivacy Directive, as amended by the “cookie directive,” requires a user’s consent before storing cookies, after the user has been provided “with clear and comprehensive information.” How Member States will implement this requirement, and how the European Court of Justice will rule in the Phorm case, will be watched closely in the next months by online behavioral marketers.
Under the TCPA, it is unlawful for any person… to initiate any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party, unless the call is initiated for emergency purposes or is exempted by rule or order by the Federal Communication Commission under paragraph (2)(B).
THE ESTABLISHED BUSINESS RELATIONSHIP EXEMPTION
One of these exemptions is the “established business relationship” exemption (EBR). An EBR is defined by the Code of Federal Regulations, 47 C.F.R. § 64.1200 as a ”voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of the subscriber's purchase or transaction with the entity within the eighteen months immediately preceding the date of the telephone call or on the basis of the subscriber's inquiry or application regarding products or services offered by the entity within the three months immediately preceding the date of the call, which relationship has not been previously terminated by either party.”
In April 2009, the retailer Talbots left a prerecorded message on the answering machine of one of its Washington State customers, informing her about some upcoming sales. Her husband, Mr. Cubbage, was annoyed by the message, and sued the retailer, asserting that Talbots had violated the TCPA and the Washington Automatic Dialing and Answering Devices Act, RCW 80. 36.400 (WADAD). Defendant moved for summary judgment, and the United States District Court of Washington granted it in July 2010. The case is Cubbage v. The Talbots, Inc., 2010 WL 2710628 (W.D. Wa. 2010).
Talbots had argued that the call made to Mr.Cubbage’s wife was permissible because it had an established business relationship with her. Indeed, she had made a purchase at one of the Talbots stores eighteen months before the April 2009 call. Mr. Cubbage argued that since he is the one who listened to the message, the EBR exception did not apply. The Court however disagreed, holding that if a member of a household creates an EBR, that consent extends to calls made to that person’s telephone number.
Mr. Cubbage also argued that the FCC lacked the authority to enact the EBR exemption, but the Court considered that it lacked jurisdiction to consider the validity of the EBR as a rule.
THE WASHINGTON AUTOMATIC DIALING AND ANSWERING DEVICES ACT DOES NOT APPLY TO “CONVERSATIONS”
Mr. Cubbage also asserted a state claim pursuant to WADAD. The statute defines “commercial solicitation” as “the unsolicited initiation of a telephone conversation for the purpose of encouraging a person to purchase property, goods, or services.” Under the statute, “no person may use an automatic dialing and announcing device for purposes of commercial solicitation. This [statute] applies to all commercial solicitation intended to be received by telephone customers within the state.”
Talbots argued that it had not violated the WADAD as the call was not intended to be a “telephone conversation.” Therefore, a distinction may be made between prerecorded calls that initiate a conversation and calls that simply convey information without conversation. The Court agreed, after quoting several definitions of “conversations” as a spoken exchange between two or more people.
Plaintiff asserted that such an interpretation eviscerates the statute, in essence striping it from its power to protect Washington State residents from unwanted calls. He is not alone : Assistant Attorney General Shannon Smith is quoted in an article of The Seattle Times as saying that this “very narrow interpretation of the statute… eviscerates the whole intent of the Legislature.” Her office may file a brief as amicus curia in support to Mr. Cubbage’s appeal to the Ninth Circuit Court of Appeals.
The U.S. Supreme Court agreed on September 28, 2010, to review whether Exemption 7(C) of the Freedom of Information Act (FOIA), protecting “personal privacy,” protects not only the privacy of individuals, but also the privacy of corporate entities. The case is Federal Communications Commission v. AT&T, Inc. Docket No. 09-1279.
The facts of the case are as follows. AT&T had provided equipment and services to a federal program administered by the Federal Communications Commission (FCC) geared at increasing schools’ access to advanced telecommunications technology. AT&T found out in 2004 that it may have overcharged the Government for some work, and voluntarily reported that fact to the FCC. The FCC Enforcement Bureau (Bureau) then conducted an investigation. As part of this investigation, AT&T produced various documents to the Bureau. In April 2005, a trade association representing some of AT&T’s competitors submitted a FOIA request for documents in this investigation file. AT&T submitted an objection to disclosure, arguing that FOIA’s exemptions prohibited disclosure.
FOIA, U.S.C. § 552, was enacted by Congress in 1966 in order to improve public access to information controlled by federal agencies. Congress wanted FOIA to reflect "a general philosophy of full agency disclosure unless information is exempted under clearly delineated statutory language." S.Rep. No. 89-813, at 3 (1965). Indeed, there are nine enumerated statutory exemptions allowing an agency to withhold documents responsive to a FOIA request. One of these exemptions is codified at § 552(b)(7)(C) (Exemption 7(C)): FOIA does not apply to “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information could reasonably be expected to constitute an unwarranted invasion of personal privacy.”
FOIA does not define “personal,” but “person” is defined by the Administrative Procedure Act (APA), 5 U.S.C. § 551(2), as “includ[ing] an individual, partnership, corporation, association, or public or private organization other than an agency.” The FOIA was enacted as an amendment to the APA, so it can be argued that this definition applies to FOIA as well.
The Bureau issued a letter-ruling in August 2005, rejecting AT&T’s argument that Exemption 7 (C) prohibited disclosure because corporations lack “personal privacy.” AT&T asked the FCC to review this ruling, and in October 2008 the FCC issued an order compelling disclosure, arguing that Exemption 7 (C) does not apply to corporations. AT&T then filed a petition to review the FCC’s order, arguing that an incorrect interpretation of Exemption 7 (C) prevented a corporation to claim a personal privacy interest.
The Third Circuit reviewed the FCC’s order, and granted AT&T’s petition for review on September 22, 2009, and remanded for further agency proceedings. The Court held that FOIA “unambiguously indicates that a corporation may have a “personal privacy” interest within the meaning of Exemption 7 (C).“ The Third Circuit reasoned that Exemption 7(F) of FOIA prohibits disclosure of information that, if released, “could reasonably be expected to endanger the life or physical safety of any individual”(emphasis in the Third Circuit decision), thus indicating that Congress wanted only human beings to benefit from Exemption 7(F). Since Congress did not use the same language in Exemption 7 (C), it indicates that Congress wanted it to have a broader protective scope. Also, it reasoned that “personal” is the adjectival form of “person” and that “it would be very odd indeed for an adjectival form of a defined term not to refer back to that defined term.”
The FCC and the Government petitioned the Supreme Court for a writ of certiorari, and the Supreme Court granted it on September 28.
The Government argued in the petition that “the law ordinarily protects personal privacy to safeguard human dignity and preserve individual autonomy,” and “such concepts do not comfortably extend to a corporation.” The Third Circuit noted in footnote 5 of the ruling that “corporations, like human beings, face public embarrassment, harassment, and stigma “if they are involved in law enforcement investigations.” The government shunned “this attempted personification of an entity.”
However, in Citizen United v. Federal Election Commission, 558 U.S. 50 (2010), the Supreme Court held corporations cannot be prevented by the government to spend money in order to support or to denounce a political candidate, as corporate spending is a form of political speech. The Supreme Court cited the precedent of First Nat. Bank of Boston v. Bellotti, 435 U. S. 765 (1978), to state that “the First Amendment does not allow political speech restrictions based on a speaker’s corporate identity.” Will corporations now have a right to privacy?
The government also argued that if the APA defines “person” as including public organizations other than a federal government agency, state, local, foreign governments and governmental components would then be given a right to privacy, and thus federal agencies answering a FOIA request may have to balance the public interest in disclosure against the privacy interests of corporations and governments. This may jeopardize public disclosure of government records. Indeed, Public Citizen, the Electronic Frontier Foundation and other nonprofit organizations have filed a brief of Amici Curiae, stating that the Third Circuit’s decision undermines the core purpose of the FOIA, and would prevent that records concerning government oversight of industry would be available to the public. Once again, the delicate balance between the right of privacy, if there is such a right for corporations, and freedom of information, will have to be assessed by the Supreme Court.
The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010. Some highlights from the comments are outlined below.
The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional. According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective. The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”
The AHA requested that HHS “consider modifying the Privacy Rule to make clear which provisions are directly applicable to business associates and to specify business associates’ compliance obligations associated with each of these provisions” in order to “provide greater clarity and better facilitate compliance” with the Privacy Rule. The Association of American Medical Colleges recommended that the exception to the rule prohibiting the sale of protected health information (“PHI”) for research purposes be expanded to included PHI that is provided to a data registry for the benefit of providing researchers with access to a larger pool of data for their research.
The American Health Information Management Association expressed concern that the modifications to the Security Rule “appear to suggest that Covered Entities do not need to make as many specific requirements of a Business Associate as in the pre-HITECH agreements because the Business Associate becomes directly subject to HIPAA.” The Coalition for Patient Privacy went further and recommended that HHS require all business associates and covered entities to “undergo meaningful and comprehensive security and privacy audits annually, to establish and prove that their methods of operation do in fact safeguard patient information.”
HHS will accept or reject the submitted comments to the modifications to the HIPAA Rules and decide whether to incorporate them into the Final Rule, which is expected to be published by the end of 2010.