IAPP Guide to FTC Privacy Enforcement

(May 5, 2017) This guide from the IAPP Westin Research Center describes the various paths the Federal Trade Commission may pursue when it brings privacy cases under its primary consumer protection authority, Section 5(a) of the FTC Act. The guide also discusses the various avenues that the FTC may pursue in seeking these remedies (e.g. administrative adjudication and filing suit directly in federal district court), and how these respective avenues lead to different available outcomes (e.g. fines, injunctive r... Read More

It takes 21 hours to build a DPO, and much more

(Jan 25, 2017) With the EU's General Data Protection Regulation, the role of the data protection officer has come into sharp focus. Many organizations, especially those processing large amounts of EU citizen data or particularly sensitive data, will have to appoint a DPO, either someone already on staff or someone new to the organization. Some organizations may choose to outsource. Regardless, the question remains as to how to create a DPO when no obvious candidate in the organization exists. In an analysis of... Read More

The Ramirez legacy of enforcement at the FTC

(Jan 16, 2017) Since the spring of 2013, when Chairwoman Edith Ramirez began her tenure at the Federal Trade Commission, the FTC has brought numerous enforcement actions to enforce privacy promises and improve data security practices. With Chairwoman Ramirez at its helm, the FTC has described its activities as targeting its enforcement practices to ensure that new technological developments — including big data, mobile devices, and IoT — advance in a way that respects consumer privacy. Last week, Ramirez anno... Read More

Intangible Privacy Harms Post-Spokeo

(Dec 15, 2016) The United States Supreme Court’s ruling in Spokeo v. Robins last May aimed to clarify standing requirements for privacy-related class-action lawsuits under Article III of the U.S. Constitution. Specifically, Spokeo brought to the foreground two key points: that particularization and concreteness are distinct but necessary standing requirements, and that a concrete harm may be either tangible or intangible to meet Article III standing. Particularization and concreteness have featured in class-a... Read More

Dutch court case a wake-up call for companies doing business in the EU

(Dec 14, 2016) A recent court case in the Netherlands reinforced existing EU data protection obligations for companies not established in the EU. Such companies are required to appoint a representative in each member state in which they operate. Specifically, the Administrative Court in The Hague affirmed a data protection authority-imposed penalty against WhatsApp for not appointing a representative in the Netherlands. In this exclusive for Privacy Tracker, Privacy Management Partners' Jeroen Terstegge, CIPP/... Read More

US appeals court narrows FTC's 'unfair' standard in LabMD case

(Nov 14, 2016) With Washington still reeling from the implications of a Trump administration for privacy and antitrust regulation by the Federal Trade Commission, a U.S. federal appeals court has dealt a blow to the agency’s interpretation of the “unfairness” prong of the Federal Trade Commission Act. In a ruling issued last Thursday, the 11th U.S. Circuit Court of Appeals held in LabMD, Inc. v. FTC that in cases of a security breach, mere emotional harm and acts causing only a low likelihood of consumer harm ... Read More

LabMD and the new definition of privacy harm

(Aug 22, 2016) If a tree falls in the woods and there’s no one around to hear it, does it make a sound? According to the Federal Trade Commission, yes it does. In its recent LabMD ruling, the FTC found that the mere fact that sensitive medical records were publicly available, without any evidence that consumers suffered any adverse effects or were even aware of the breach, was enough to support a finding of substantial consumer injury. In so finding, the LabMD decision offers the most detailed portrait yet of ... Read More

GDPR Complaint-Process Map

(Aug 16, 2016) The General Data Protection Regulation is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each Member State and will lead to a greater degree of data protection harmonization across EU nations. The GDPR empowers data subjects to seek judicial relief for damages and file administrative complaints with supervisory authorities. The GDPR’s consistency mechanisms – encouraging supervisory authorities to cooperate and agree on infringeme... Read More

We’ve got a finalized Privacy Shield agreement: What’s new?

(Jul 12, 2016) The first draft of the EU-U.S. Privacy Shield, released in February, received intense scrutiny from the likes of the Article 29 and Article 31 working parties, the EU Parliament, the European Council, and various industry groups. Today, the European Commission and U.S. Department of Commerce released a final draft, incorporating and addressing that feedback. So, what changed? In this piece for Privacy Tracker, IAPP Westin Fellow Gabe Maldoff, CIPP/US, identifies the edits and looks at what they ... Read More

How GDPR changes the rules for research

(Apr 19, 2016) The General Data Protection Regulation (GDPR) will come into effect in the spring of 2018, replacing the Data Protection Directive 95/46/EC and imposing new obligations on organizations that process the personal data of European Union residents. While the Regulation aims to bolster privacy rights, it arrives as a centerpiece of the EU Digital Single Market, an initiative designed to boost digital innovation within the EU. By harmonizing privacy legislation across the EU member states and carvin... Read More