Seventh Circuit Limits FTC’s Monetary Restitution Powers

The ability of the Federal Trade Commission (“FTC”) to obtain monetary restitution for consumers just took a major loss from the Seventh Circuit Court of Appeals. This federal appellate court ruled that Section 13(b) of the FTC Act only provides that the FTC can obtain restraining orders and injunctions but it does not state that the FTC can obtain equitable monetary relief for consumers, including but not limited to ex parte asset freezes to e-commerce merchants’ banking accounts. Prior to this decision, it was implied that the FTC could obtain monetary restitution relief for consumers from Section 13(b) of the FTC Act.

In this case (FTC vs Credit Bureau Center), the FTC showed the court that an e-commerce credit bureau retailer deceived consumers into enrolling in its service by posting misleading statements about receiving a “free” credit report (when in fact in was not free), and thereby deceptively leading consumers into purchasing recurring monthly credit monitoring service. The federal district court held that this e-commerce retailer had violated the FTC Act and other consumer protection laws, entered summary judgment in favor of the FTC, and ordered the e-commerce retailer to pay equitable monetary relief to consumers. This decision was appealed to the Seventh Circuit Court of Appeals who affirmed the FTC’s power to obtain restraining order and injunctions, but specifically ruled that since Section 13(b) of the FTC Act does not state that the FTC can obtain monetary restitution for consumers, the FTC cannot do so under Section 13(b).

This is a huge decision because under its current practices, the FTC may no longer be able to rely on Section 13(b) of the FTC Act to obtain monetary restitution for consumers arising from false and misleading statements, and deceptive acts or practices, e.g., ROSCA violations and data breaches. This decision by the Seventh Circuit (jurisdiction over the federal district courts in Illinois, Indiana and Wisconsin) is the first federal court of appeals decision to limit the FTC’s ability to obtain monetary restitution for consumers under Section 13(b) of the FTC Act, creating a circuit split among the federal appellate courts.

Given the huge impact that this federal appellate opinion has on the FTC’s monetary restitution powers, it is foreseeable that this decision will be appealed to the US Supreme Court, who will ultimately determine the FTC’s powers under Section 13(b) of the FTC Act. If the Supreme Court agrees with the Seventh Circuit, then the FTC’s ability to obtain monetary restitution under Section 13(b) will be impacted severely.

In the interim, expect the FTC to seek monetary restitution for consumers under other provisions of the FTC Act (e.g., Sections 5(m)(1)(B) and 19) and other statutes that the FTC administers and enforces.

For guidance through the legal and regulatory compliance land mines of FTC Compliance, ROSCA and data breaches, do not hesitate to contact Mark Ishman, a member of Gordon Rees’ Advertising and E-Commerce and Privacy, Data & Cybersecurity Practice Groups.

EU-US Privacy Shield – How to Opt In and Self Certify

The Privacy Shield provides a means to transfer EU personal data in accordance with certain EU data privacy principles.

As of August 1, 2016, US companies may self-certify as a means of complying with EU data protection laws when transferring EU personal data from the EU to the US. (For back ground information on the EU-US Privacy Shield, see March 2016 Article.)

Companies should consider self-certifying to the Privacy Shield if they desire to minimize their exposure to liability on many fronts, e.g., regulatory compliance with the EU Data Protection Directive, federal and state laws, and minimizing risks to data breach/regulatory compliance litigation. Additionally, by operating in accordance with these data privacy principles, companies will be building goodwill with their consumers and business partners.

Pre-Certification Assessment/Audit

Prior to self-certifying, companies need to engage in a self-assessment/audit to determine whether their current business practices meet the minimum standards set forth in the Privacy Shield framework. There will likely be some work involved for must companies to self certify to the Privacy Shield, but it is certainly manageable when proper resources are allocated to address the self certification requirements.

Although not a complete and extensive list of all of the pre-certification logistical requirements, the following are required to self-certify to the Privacy Shield.

First, companies will need to assess their external and internal privacy policies, and their EU personal data collection, processing, storage and transfer procedures. Each policy and procedure will need to be compliant with the 7 Privacy Shield Principles, and as applicable, the 16 Supplemental Privacy Shield Principles. A summary of these principles can be found at the US Department of Commerce.

Second, once this assessment/audit is complete, companies will likely need to update all of their privacy policies and procedures and contracts with their business partners. If companies self certify to the Privacy Shield by September 30, 2016, they will be provided with a 9-month grace period to update their contracts with their business partners.

Third, the Privacy Shield requires companies to implement specific complaint and dispute policies and procedures, which include replying promptly to all complaints, identifying a point of contact person/officer for complaints and provide an independent recourse resolution mechanism to EU consumers.

Fourth, companies are required to notify the public that they are self certifying to the Privacy Shield. This reference includes publishing the Privacy Shield logo and required self certifying language to their websites, and appointing a person who is responsible for self-compliance.

Self-Certifying to the Privacy Shield

Once companies complete their pre-certification assessment/audit, then they will be ready to certify to the Privacy Shield.

Self-certification to the Privacy Shield requires companies to submit a written application/certification to the US Department of Commerce. There is also a required fee to self-certify to the Privacy Shield. See Federal Register July 22, 2016 Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework Notice.

Post Certification

After self-certifying to the Privacy Shield, companies must walk the walk. This requires a coordinated effort to comply with their Privacy Policy and maintain good standing on the Privacy Shield list of self-certifying companies.

Additionally, companies must self-certify each year with the US Department of Commerce, which means self-certifying to the Privacy Shield is a constant, ongoing process.

For guidance through the legal and regulatory compliance land mines of self-certifying, do not hesitate to contact Mark Ishman, a member of Gordon Rees’ Privacy & Data Security Practice Group.

Just When You Thought EU “Model Clauses” Are Safe to Transfer EU Data, Think Again

After the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor framework for EU-US data transfer, companies began to rely on the EU’s “Model Clauses” as a valid means of transferring data from the European Union. In fact, almost all multi-national corporations adopted “Model Clauses” as the interim best practice to transfer EU data from the European Union.

However, the EU “Model Clauses” do not directly address US national security surveillance laws, which remain unchanged and continue to apply to large multi-national corporations. This has given rise to this latest CJEU proceeding initiated by the Irish Data Protection Commissioner (DPC). The DPC recently announced that it will ask the CJEU to determine whether Facebook can transfer EU data from the European Union via the use of EU’s model clauses. A copy of the press release can be found here.

In addition to the ongoing EU-US Privacy Shield negotiations that will likely continue for at least the next year, we must now watch for the CJEU’s decision on whether EU “Model Clauses” adequately protect EU data from big government surveillance practices. Given the current state of EU data transfers, best practices must continue to be examined and developed by the data privacy industry.

Insurance Carrier Must Defend Its Insured Who Inadvertently Published Private Medical Records on the Internet

The Fourth Circuit Court of Appeals affirmed a Virginia Federal District court’s decision that examined the language of a commercial general liability (CGL) policy and held that an insurance carrier was required to defend its insured medical records company in a class-action lawsuit when its insured inadvertently published private patient medical records on the Internet. See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016).

Both the Virginia District Court and the Fourth Circuit rejected the insurance company’s argument that there cannot be a “publication” unless its insured intended to communicate information to others. In so doing, the courts reasoned that the insurance carrier had a duty to defend because its CGL policy did not provide clear enough language as to what conduct constituted a “publication.”

This decision shows that there may be coverage for data breaches outside of the policies written specifically for data breach scenarios, i.e., cyber liability insurance policies. To this extent, the Travelers opinion should be limited to inadvertent publications by an insured, rather than a hacker breaking into a network and then publishing information on the Internet.

EU-US Privacy Shield: US Companies Should Adopt and Apply Its Data Privacy Principles

The EU and US have announced another agreement requiring US companies to self certify that they are compliant with certain data privacy principles in order to conduct transatlantic data transfers. This agreement is called the EU-US Privacy Shield (“Privacy Shield”) and is similar to its predecessor Safe Harbor program, but requires US companies to conform to more stringent data privacy standard. Although EU-US have announced this deal, the Privacy Shield has not yet been finalized or enacted, as the authorities are still negotiating a final version of this agreement.

During this interim, US Companies should consider adopting the Privacy Shield’s published Privacy Principles into their business practices in order to commit to doing business long-term in Europe. If they do so, then they would not only put themselves on a fast track to self-certification under the Privacy Shield, but they would also be minimizing their exposure to data privacy/breach liability in the US.

Under the first published draft of the Privacy Shield, US companies must adopt and implement certain Privacy Principles in order to collect, store and transfer EU personal data. These Privacy Shield’s Privacy Principles are generally good data privacy and security policies and procedures, that when implemented, would help a company minimize its exposure to data breach liability here in the United States (e.g., Section 5 of the Federal Trade Commissions Act, the Fair Credit and Reporting Act, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), state data breach notification laws, etc.).

In fact, if US law has not already required some of the Privacy Shield’s Privacy Principles to be adopted by US companies, most of these principles have been found to be good practices in administrative and judicial decisions that have considered these US privacy and data breach laws in their rulings.

A closer look at these Privacy Shield’s Privacy Principles clearly show how they can minimize US companies’ liability exposure while building goodwill with their consumers.

The Privacy Shield requires US companies that collect, store and transfer EU personal data to adopt and implement into their business practices and policies, the following:

(1)   Notice. US Companies must provide Notice to their data subjects of how they process their data that they collect, store and transfer under 13 subjects. Such Notice requirements include:

  • the type of data they are collecting,
  • the purpose of processing their data,
  • the right of access their data,
  • the right to choose whether the US companies can continue to collect, store and transfer their data (i.e., opt-out),
  • the conditions for onward transfers of their data, and
  • who is liable and what remedies are available to them for security breaches involving their data.

US Companies should Notice these privacy principles as part of their Privacy Policy on their websites for their data subjects to review. Included in their website Privacy Policy, US Companies must include links to the US Department of Commerce’s website for additional information on self-certification, the rights of data subjects and available recourse mechanisms. US Companies must also include the self-certification Privacy Shield and an appropriate alternative dispute settlement provider (see Recourse, Enforcement and Liability below).

(2)   Choice. US Companies must allow their data subjects a Choice to opt-out of any collection, storage and transfer of their data, especially if a US company changes its data privacy principles. If a US company is a direct marketer, then there are special opt-out rules that the US direct marketer must implement in order to allow their subjects to opt-out at any time from the use of their personal data.

(3)   Security. US Companies collecting, storing and transferring personal data must take “reasonable and appropriate” security measures to minimize the data security risks involved in the collection, storage and transfer of such personal data. “Reasonable and appropriate” security measures must be implemented US companies because their security measures will be the key subject investigated and litigated with any data security breach. If US Companies are subcontracting any of their security obligations under the Privacy Shield, then such subcontracted security services must be materialized in an executed agreement where the subcontractor guarantees the same level of protection as provided by the Privacy Shield (i.e., the Privacy Principles) and guaranty the implementation of such privacy measures.

(4)   Data Integrity and Purpose Limitation. US Companies must limit their collection, storage and transfer of personal data via a means that is compatible to a purpose that is Noticed in their Privacy Policy practice, which includes whereby using data while maintaining its integrity.

(5)   Access. US companies must provide Access rights to EU data subjects to their data as follows:

  • provide Access to their data without justification (i.e., for any reason),
  • respond to Access requests without an excessive fee,
  • respond to Access requests within a “reasonable” time frame,
  • provide confirmation that they are processing their data, and
  • provide Access to correct, amend or delete personal information where it is inaccurate or has been processed in violation of these Privacy Principles.

There are a few limited exceptions to these Access rights stated above that only apply in a few exceptional circumstances. Otherwise, US companies have the burden that these Access rights are being provided to EU data subjects.

(6)   Accountability for Onward Transfer. When transferring EU personal data from controllers or processors, US companies must be accountable in such onward transfer by:

  • limiting such transfer for a specified purpose;
  • under the terms of an executed agreement;
  • only if the executed agreement provides the same level of protection as the one guaranteed by the Privacy Principles; and
  • controllers being accountable for all compliance problems unless some act(s) of gross negligence by the a processor.

(7)   Recourse, Enforcement and Liability. If bad things happen to EU personal data while being collected, stored or transferred, then US companies must have in place an effective redress mechanisms to deal with such complaints, which includes:

  • US Companies must publish their Data Privacy/Security Contact Person in their Privacy Policy, who is either within or outside of the company but handles all data privacy/security complaints. This is required in order to allow individuals to file complaints directly with Privacy Shield companies.
  • Within 45 days upon receipt, US Companies must respond to all data privacy/security complaints.
  • Such responses to complaints must “provide an assessment of the merits of the complaint and, if so, information as to how the organization will rectify the problem.”
  • US Companies must “retain their records on the implementation of their privacy polices and make them available upon request in the context” of a data privacy/security investigation or complaint.

EU data subjects can also bring complaints to independent EU data protection authority (DPAs) to investigate and attempt to resolve individual complaints and provide such appropriate recourse to EU data subjects free of charge.

Third, Privacy Shield companies must also offer alternative dispute resolution via an independent dispute resolution mediator free of charge. As a last resort, EU data subjects may invoke binding arbitration by a “Privacy Shield Panel” arbitrator who is appointed by the US Department of Commerce and the EU Commission.

The US Department of Commerce, Federal Trade Commission and other data protection authorities will also have the authority to investigate and prosecute US companies for non-compliance with the EU-US Privacy Shield.

(8)   Self-Certify. US companies must annually self certify that they are compliant with the Privacy Shield’s principles and practices. “This can be done through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the company’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing and random checks.” Additionally, US companies must file their self-certification of adhering to the Privacy Principles with the Department of Commerce, who will then publish self-certifying US companies via a “Privacy Shield List.”

Like all legal matters, there are exceptions to some of these Privacy Shield rules identified above. Additionally, there are other unidentified provisions of the Privacy Shield that may be applicable to US companies under worse case data security breach scenarios.

As discussed in our last blog article, the EU Commission’s subcommittees are now reviewing the Privacy Shield with the purpose of submitting comments to the EU Commission. Once these comments are received, then the EU Commissions will either approve the Privacy Shield or require additional edits to it. Simultaneously through this EU review period of the Privacy Shield, there will likely be new laws required to be enacted in the US in order to authorize and facilitate such required privacy authority and procedures as set forth Privacy Shield. Expect another update on edits to the current draft of the Privacy Shield. It may be another 6 to 12 months before the Privacy Shield has been enacted and fully effective.

In the interim, adopting the above Privacy Shield rules into your business practices would put you on a fast track to comply with the EU-US Privacy Shield once it has been enacted, and it would also build goodwill with your consumers and minimize your exposure to data breach liability under the Privacy Shield and US federal and state laws.

EU-US Privacy Shield: What Does this Mean for the Private Sector?

Its déjà vu all over again, the EU and US have announced that they have reached an agreement in principle on new rules governing transatlantic data transfers. They are now finalizing their agreement, which will be called the EU-US Privacy Shield. The EC announced that it will prepare a draft “adequacy decision” on the Privacy Shield in the upcoming weeks (ETA: end of February).

At this time, deal terms of this agreement related to the private sector are slowly being disclosed, such as:

  • “Strong obligations” on companies that handle Europeans’ personal data, coupled with “robust enforcement”.
  • US companies will be required to declare that based on their interpretation of the Privacy Shield and related laws, they are complaint with it. Companies that broke their terms of the agreement would face escalating sanctions, up to and including “removal from the list” of those firms legally allowed to collect EU citizens’ data and transfer it to the U.S.
  • The Department of Commerce and the FTC will have significant roles in enforcing the terms of the agreement. It appears that the US Department of Commerce will be monitoring what companies publish as their commitments to protect and secure personal data, and the FTC will be in charge of enforcing data privacy enforcement under US law.
  • There will be regulations for companies handling human resource data from Europe, requiring at a minimum that they comply with decisions by EU’s data protection authorities.
  • There will be new complaint procedures for EU citizens to utilize to complain about misuse of their personal data in the US, from making initial complaints to the particular US company, all the way to complaint procedures involving the US Department of Commerce and FTC.

The Privacy Shield has already received criticism. Some are arguing that it is really not an agreement/treaty, but a letter of understanding or pledge. Others argue that it will be stricken down by European Court of Justice.

As this all works itself out over the next several months, the Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has announced that it has agreed to allow more time for the EU and US to finalize the Privacy Shield and will not be taking enforcement action against companies that are using alternative transfer mechanisms (contracts) in the wake of last year’s Safe Harbor strike down (Schrems).

We will need to actually see the Privacy Shield language in order to provide compliance advice. However, in the interim, we will continue to monitor the finalization of this agreement (ETA: end of April) and provide updates to you.