隐私 数据保护 和网络安全 法律评论_第1页
隐私 数据保护 和网络安全 法律评论_第2页
隐私 数据保护 和网络安全 法律评论_第3页
隐私 数据保护 和网络安全 法律评论_第4页
隐私 数据保护 和网络安全 法律评论_第5页
已阅读5页,还剩36页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

ThePrivacy,

DataProtectionandCybersecurityLawReview

Editor

AlanCharlesRaul

LawBusinessResearch

ThePrivacy,DataProtectionandCybersecurityLawReview

ThePrivacy,DataProtectionandCybersecurityLawReviewReproducedwithpermissionfromLawBusinessResearchLtd.

ThisarticlewasfirstpublishedinThePrivacy,DataProtectionandCybersecurityLawReview-Edition1

(publishedinNovember2014–editorAlanCharlesRaul).

Forfurtherinformationpleaseemail

Nick.Barette@

ThePrivacy,

DataProtectionandCybersecurityLawReview

Editor

AlanCharlesRaul

LawBusinessResearchLtd

THELAWREVIEWS

THEMERGERSANDACQUISITIONSREVIEWTHERESTRUCTURINGREVIEW

THEPRIVATECOMPETITIONENFORCEMENTREVIEWTHEDISPUTERESOLUTIONREVIEW

THEEMPLOYMENTLAWREVIEW

THEPUBLICCOMPETITIONENFORCEMENTREVIEWTHEBANKINGREGULATIONREVIEW

THEINTERNATIONALARBITRATIONREVIEWTHEMERGERCONTROLREVIEW

THETECHNOLOGY,MEDIAANDTELECOMMUNICATIONSREVIEW

THEINWARDINVESTMENTANDINTERNATIONALTAXATIONREVIEW

THECORPORATEGOVERNANCEREVIEWTHECORPORATEIMMIGRATIONREVIEW

THEINTERNATIONALINVESTIGATIONSREVIEWTHEPROJECTSANDCONSTRUCTIONREVIEWTHEINTERNATIONALCAPITALMARKETSREVIEWTHEREALESTATELAWREVIEW

THEPRIVATEEQUITYREVIEW

THEENERGYREGULATIONANDMARKETSREVIEWTHEINTELLECTUALPROPERTYREVIEW

THEASSETMANAGEMENTREVIEW

THEPRIVATEWEALTHANDPRIVATECLIENTREVIEWTHEMININGLAWREVIEW

THEEXECUTIVEREMUNERATIONREVIEW

THEANTI-BRIBERYANDANTI-CORRUPTIONREVIEWTHECARTELSANDLENIENCYREVIEW

THETAXDISPUTESANDLITIGATIONREVIEWTHELIFESCIENCESLAWREVIEW

THEINSURANCEANDREINSURANCELAWREVIEWTHEGOVERNMENTPROCUREMENTREVIEWTHEDOMINANCEANDMONOPOLIESREVIEW

THEAVIATIONLAWREVIEW

THEFOREIGNINVESTMENTREGULATIONREVIEWTHEASSETTRACINGANDRECOVERYREVIEWTHEINTERNATIONALINSOLVENCYREVIEW

THEOILANDGASLAWREVIEWTHEFRANCHISELAWREVIEW

THEPRODUCTREGULATIONANDLIABILITYREVIEWTHESHIPPINGLAWREVIEW

THEACQUISITIONANDLEVERAGEDFINANCEREVIEW

THEPRIVACY,DATAPROTECTIONANDCYBERSECURITYLAWREVIEW

www.TheLawReviews.co.uk

PUBLISHER

GideonRoberton

BUSINESSDEVELOPMENTMANAGER

NickBarette

SENIORACCOUNTMANAGERS

KatherineJablonowska,ThomasLee,JamesSpearing

ACCOUNTMANAGER

FelicityBown

PUBLISHINGCOORDINATOR

LucyBrewer

MARKETINGASSISTANT

DominiqueDestrée

EDITORIALASSISTANT

ShaniBans

HEADOFPRODUCTIONANDDISTRIBUTION

AdamMyers

PRODUCTIONEDITOR

TimothyBeaver

SUBEDITOR

JaninaGodowska

MANAGINGDIRECTOR

RichardDavey

PublishedintheUnitedKingdombyLawBusinessResearchLtd,London

87LancasterRoad,London,W111QQ,UK

©2014LawBusinessResearchLtd

www.TheLawReviews.co.uk

Nophotocopying:copyrightlicencesdonotapply.

Theinformationprovidedinthispublicationisgeneralandmaynotapplyinaspecificsituation,nordoesitnecessarilyrepresenttheviewsofauthors’firmsortheirclients.Legaladviceshouldalwaysbesoughtbeforetakinganylegalactionbasedontheinformationprovided.Thepublishersacceptnoresponsibilityforanyactsoromissionscontainedherein.AlthoughtheinformationprovidedisaccurateasofNovember2014,beadvisedthatthisisadevelopingarea.

EnquiriesconcerningreproductionshouldbesenttoLawBusinessResearch,attheaddressabove.Enquiriesconcerningeditorialcontentshouldbedirected

tothePublisher–

gideon.roberton@

ISBN978-1-909830-28-8

PrintedinGreatBritainbyEncompassPrintSolutions,Derbyshire

Tel:08442480112

ACKNOWLEDGEMENTS

i

Thepublisheracknowledgesandthanksthefollowinglawfirmsfortheirlearnedassistancethroughoutthepreparationofthisbook:

ASTREA

BALLAS,PELECANOS&ASSOCIATESLPCBOGSCH&PARTNERSLAWFIRMDUNAUDCLARENCCOMBLES&ASSOCIÉSELIG,ATTORNEYS-AT-LAW

JONESDAYKIM&CHANGNNOVATIONLLP

NOERR

PINHEIRONETOADVOGADOSSANTAMARINAYSTETA,SCSIDLEYAUSTINLLP

SYNCHADVOKATAB

URÍAMENÉNDEZABOGADOS,SLPWINHELLERRECHTSANWALTSGESELLSCHAFTMBH

CONTENTS

PAGE\*roman

iii

Editor'sPreface v

AlanCharlesRaul

Chapter1 EUROPEANUNIONOVERVIEW 1

WilliamLong,GéraldineScaliandAlanCharlesRaul

Chapter2 APECOVERVIEW 19

CatherineValerioBarradandAlanCharlesRaul

Chapter3 BELGIUM 31

StevenDeSchrijverandThomasDaenens

Chapter4 BRAZIL 43

AndréZonaroGiacchettaandCiroTorresFreitas

Chapter5 CANADA 54

ShaunBrown

Chapter6 FRANCE 70

MeravGriguer

Chapter7 GERMANY 83

Jens-MarwinKoch

Chapter8 GREECE 98

GeorgeBallasandTheodoreKonstantakopoulos

Chapter9 HONGKONG 113

YuetMingThamandJoanneMok

Chapter10 HUNGARY 127

TamásGödölleandPéterKoczor

PAGE\*roman

iv

Contents

Chapter11 ITALY 142

StefanoMacchidiCellere

Chapter12 JAPAN 156

TakahiroNonaka

Chapter13 KOREA 170

JinHwanKim,BrianTae-HyunChung,JenniferSKehandInHwanLee

Chapter14 MEXICO 180

CésarGCruz-AyalaandDiegoAcosta-Chin

Chapter15 RUSSIA 194

VyacheslavKhayryuzov

Chapter16 SINGAPORE 204

YuetMingTham,IjinTanandTeenaZhang

Chapter17 SPAIN 219

CeciliaÁlvarezRigaudiasandReyesBermejoBosch

Chapter18 SWEDEN 230

JimRunstenandCharlottaEmtefall

Chapter19 TURKEY 241

GönençGürkaynakandİlayYılmaz

Chapter20 UNITEDKINGDOM 253

WilliamLongandGéraldineScali

Chapter21 UNITEDSTATES 268

AlanCharlesRaul,TashaDManoranjanandVivekMohan

Appendix1 ABOUTTHEAUTHORS 295

Appendix2 CONTRIBUTINGLAWFIRMS'CONTACTDETAILS 309

PAGE\*roman

v

EDITOR’SPREFACE

ThefirsteditionofThePrivacy,DataProtectionandCybersecurityLawReviewappearsatatimeofextraordinarypolicychangeandpracticalchallengeforthisfieldoflawandregulation.IntheUnitedStates,massivedatabreacheshaveviedwithEdwardSnowdenandforeignstate-sponsoredhackingtomakethebiggestimpressiononbothpolicymakersandthepublic.InEurope,the‘righttobeforgotten’,thedraconiannewpenaltiesproposedinthedraftDataProtectionRegulationandtheSnowdenleaks,havesignificantlyalteredthepolicylandscape.

Moreover,thefreneticconversionoftheglobaleconomytoanincreasinglydigital,internet-drivenmodelisalsostimulatingarapidchangeinprivacy,dataprotectionandcybersecuritylawsandregulations.Governmentsareplayingcatch-upwithtechnologicalinnovation.Itisreportedthathalftheworld’spopulationwillbeonlineby2016andtheeconomiesofemergingnations(except,perhaps,inAfrica)arebeingdevelopeddirectlythroughelectroniccommerceratherthantakingtheintermediatestepofindustrialgrowthasWesterneconomiesdid.Growthandchangeinthisareaisaccelerating,andrapidchangesinlawandpolicyaretobeexpected.

InFrance,whistle-blowinghotlinesaremeticulouslyregulated,butnow,incertainkeyareaslikefinancialfraudorcorruption,advanceauthorisationforthehotlinesisautomaticundera2014legalamendment.InSingapore,2014sawthefirstenforcementmatterunderthatcountry’sPersonalDataProtectionAct–imposingafinancialpenaltyonacompanythatsentunsolicitedtelemarketingmessages.InRussia,anew2014‘forcedlocalisation’lawrequiresdataaboutRussianstobestoredonserversin-countryratherthanwhereverthedatacanbemostefficientlymanagedandprocessed,andjurisdictionsaroundtheworldhavedebatedenactingsuchproposals.Interestingly,whilenoticeofthelocationoftherelevantserversmustbeprovidedtotheRussiandataprotectionauthority,itisnotclearwhetherthelawprohibitspersonaldatatobesimultaneouslystoredbothin-countryandinforeignservers.

TheEuropeanUnioncontinuestoseektoextenditsmodelfordataprotectionregulationaroundtheworldbydeemingonlycountriesthatadoptthe‘omnibus’legislativeapproachoftheEUtobe‘adequate’fordataprotectionpurposes.TheEUmodelisnotbeinguniversallyendorsed,evenoutsidetheUSandtheAsiaandPacific

Editor’sPreface

PAGE\*roman

viii

EconomicCooperation(APEC)economies.Butnonetheless,theEU’sconstraintsoninternationaldatatransfershavesubstantiallyinhibitedtheabilityofmultinationalcompaniestomovepersonaldataaroundtheworldefficientlyforbusinesspurposes.Inparticular,conflictswiththeUSabound,exacerbatedbytheSnowdenleaksregardingUSgovernmentsurveillance.OneoftheprimarymethodsbywhichsuchEU–USdataflowsarefacilitated,theUS–EUSafeHarborregime,hascomeunderattackfromEUparliamentarianswhobelievethatsuchinformationwillnotbeascarefullyprotectedintheUSandcouldbecomemoresusceptibletosurveillance,despitethecomparablesurveillanceauthoritiesofEUintelligenceagencies.

WhilepolicyconflictsoverdataprotectionconflictsappearedtobemoderatingbeforetheSnowdenleaks,afterwards,officialsaroundtheworldprofessedtobesoshockedthatgovernmentswereconductingsurveillanceagainstpossibleterroriststhattheyappeartohavedecidedthatUSconsumercompaniesshouldpaytheprice.Someobserversbelievethatdigitaltradeprotection,andthedesiretopromoteregionalornational‘clouds’,playsomeroleintheantagonismleveledagainstUSinternetandtechnologycompanies.

ThefactthattheUSdoesnothaveanomnibusdataprotectionlaw,andthusdoesnothaveatop-levelprivacyregulatororcoordinator,meansthatithasbeendifficultfortheUStoexplainandadvocateforitsapproachtoprotectingpersonalinformation.ThishasallowedtheEUtofillaperceivedpolicyvoidbydenyingmutualrecognitiontoUSpractices,andtoimposesignificantextraterritorialregulatoryconstraintsonAmericanandothernon-Europeanbusinesses.

Nevertheless,itcannotbedeniedthatprivacyenforcementintheUSisdistinctlymoreaggressiveandpunitivethananywhereelseintheworld,includingtheEU.SubstantialinvestigationsandfinancialrecoverieshavebeenconductedandachievedbytheFederalTradeCommission(whichhascomprehensivejurisdictionoverconsumerdataandbusinesspractices),50stateattorneysgeneral(whohaveevenbroaderjurisdictionoverconsumerprotectionandbusinessactsandpractices),privateclassactionlawyerswhocanbringbroadlegalsuitsinfederalandstatecourts,andaplethoraofotherfederalandstateagencies,suchastheConsumerFinancialProtectionBureau,theFederalCommunicationsCommission,theDepartmentofHealthandHumanServices(formedicalandhealth-caredata),theDepartmentofEducation,theSecuritiesandExchangeCommissionandvariousbankingandinsuranceagencies.

Insum,therearenoshortageofprivacyregulatorsandenforcersintheUS,Europe,andAsia.EnforcementinSouthAmerica,aswellasAfricaandtheMiddleEastappearstobedevelopingmoreslowly.

Trumpingmanyotherprivacyconcerns,however,isthespateofdatabreachesandhackingthathavebeenepidemicandpartofpublicdiscourseintheyearsfollowingCalifornia’senactmentofthefirstdatabreachnotificationlawin2003.WhiletheUSappears(asaconsequenceofmandatoryreporting)tobesufferingthebulkofmajorcyberattacks–onretailers,financialinstitutionsandcompanieswithintellectualpropertyworthstealingbyforeigncompetitorsorgovernments–itisalsotruethattheUSisleadingtherestoftheworldondatabreachnotificationlawsandlawsrequiringthatcompaniesadoptaffirmativedatasecuritysafeguardsforpersonalinformation.

Forcorporateandcriticalinfrastructurenetworksanddatabases,theUShasalsoledthewaywithapresidentialexecutiveorderandtheCybersecurityFramework

developedbytheNationalInstituteofStandardsandTechnologyintheUSDepartmentofCommerce.TheUnitedKingdomhasalsobeenaleaderinthisarea,developingtheUKCyberEssentialsprogramme,whichwillsoonincludeanoptionforcompaniestobecertifiedascompliantwiththeprogramme’scybersecuritystandards.TheEUParliamenthasalsoenactedcybersecuritydirectives,andtheEU’sEuropeanNetworkandInformationSecurityAgencyhasprovidedextensiveandexpertanalysis,guidanceandrecommendationsforpromotingcybersecurityforEU-basedorganisations.

Despiteattemptstoimplementbaselinesforcybersafeguards,itappearsthatnooneisimmuneandnoorganisationissufficientlyprotectedtohaveanyconfidencethatitcanavoidbeingthevictimofsuccessfulcyberattacks,particularlybythesophisticatedhackersemployedbystatesponsors,organisedcrime,socialhacktivistsordetermined,renegadeinsiders(likeSnowden).Governmentagenciesandhighlyresourcedprivatecompanieshavebeenunabletopreventtheirnetworksfrombeingpenetrated,andsometimesarelikelytoidentify‘advancedpersistentthreats’monthsafterthemalwarehasbegunexecutingitsmaliciouspurposes.Thisphenomenallydestructivesituationcannotobtain,andpresumablysomemoreeffectivesolutionswillhavetobeidentified,developedandimplemented.Whatthoseremedieswillbe,however,isnotatallclearas2014yieldsto2015.

Inthecomingyear,itwouldseemplausiblethattherecouldbeeffortsatinternationalcooperationoncybersecurityaswellascross-borderenforcementagainstprivacyviolators.EnforcersintheEU,USandamongtheAPECeconomies,mayincreasinglyagreetoworktogethertopromotethesharedvaluesembodiedinthe‘fairinformationpracticesprinciples’thatarecommontomostnationalprivacyregimes.Inearly2014,astepinthisdirectionwastakenwhenAPECandtheEuropeanUnion’sArticle29WorkingParty(onDataProtection)jointlyreleasedaframeworkbywhichinternationaldatatransferscouldbeeffectuatedpursuanttotheguidelinesofbothorganisations.

Challengesandconflictswillcontinuetobefactorswithrespectto:assurancesofprivacyprotection‘inthecloud’;commonunderstandingsoflimitsonandtransparencyofgovernmentaccesstopersonaldatastoredeitherinthecloud,orbyinternetcompaniesandserviceproviders;differencesabouthowandwheninformationcanbecollectedinEurope(andperhapssomeothercountries)andtransmittedtotheUSforcivildiscoveryandlawenforcementorregulatorypurposes;freedomofexpressionforinternetpostsandpublications;theabilityofcompaniestomarketontheinternetandtotrack–andprofile–usersonlinethroughcookiesandotherpersistentidentifiers;andthedeploymentofdronesforcommercialandgovernmentaldataacquisitionpurposes.

Thebiggestloomingissueofthemall,however,willlikelybe‘bigdata’.Thisisahighlypromisingpractice–basedondatascienceandanalytics–thatcollectsandusesenormousquantitiesofdisparate(andoftenunstructured)data,andappliescreativenewalgorithmsenabledbyvastlycheaperandmorepowerfulcomputerpowerandstorage.Bigdatacandiscoverhelpfulnewpatternsandmakeusefulnewpredictionsabouthealthproblems,civicneeds,commercialefficiencies,andyes,consumerinterestsandpreferences.

ThepotentialsocialutilityofbigdatahasbeenunequivocallyacknowledgedbytheUSadministrationaswellasbythekeypolicymakersintheEU.But,bigdatachallengestheexistingprivacyparadigmofnoticeanddisclosuretoindividualswhoarethenfreeto

makechoicesabouthowandwhentheirdatacanbeusedandcollected.Manyexistingandproposedapplicationsofbigdataonlyworkifthevaststoresofdatacollectedbytoday’scompaniescanbemaintainedandanalysedirrespectiveofpurposelimitations.Suchlimitationsmayhavebeenrelevant(anddisclosed)atthepointofcollection,butnolongeraddressthevalueofthedatatocompaniesandconsumerswhocanbenefitfrombigdataapplications.NumeroushighlythoughtfulreportsbypolicymakersintheUSandEUhavenotedconcernsaboutthepossibilitythatunfetteredbigdataapplicationscouldresultinhiddendiscriminationagainstcertaindemographicgroupsthatmightbedifficulttoidentifyandcorrect;orcouldresultinundueprofilingofindividualsthatmightinhibittheirautonomy,limittheirfinancial,employment,insuranceorevenserendipitouschoices,orpossiblysomehowencroachontheirpersonalprivacy(totheextentthatotherwiseaggregateoranonymousdatacanbere-identified).

Thispublicationarrivesatatimeofenormousfermentforprivacy,dataprotectionandcybersecurity.Readersareinvitedtoprovideanysuggestionsforthenexteditionofthiscompendium,andwelookforwardtoseeinghowthemanyfascinatingandconsequentialissuesaddressedherewillevolveordevelopinthenextyear.

AlanCharlesRaulSidleyAustinLLPWashington,DCNovember2014

PAGE

268

Chapter21

UNITEDSTATES

AlanCharlesRaul,TashaDManoranjanandVivekMohan1

OVERVIEW

Thoughnotuniversallyacknowledged,theUnitedStates’commercialprivacyregimeisarguablytheoldest,mostrobust,welldevelopedandeffectiveintheworld.TheUnitedStates’privacysystemhasarelativelyflexibleandnon-prescriptivenature,relyingmoreonposthocgovernmentenforcementandprivatelitigation,andonthecorrespondingdeterrentvalueofsuchenforcementandlitigation,thanondetailedprohibitionsandrules.Withcertainnotableexceptions,theUSsystemdoesnotapplya‘precautionaryprinciple’toprotectprivacy,butrather,allowsinjuredparties(andgovernmentagencies)tobringlegalactiontorecoverdamagesfor,orenjoin,‘unfairordeceptive’businesspractices.However,USfederallawdoesimposeaffirmativeprohibitionsandrestrictionsincertaincommercialsectors,suchasthoseinvolvingfinancialandmedicaldata,andelectroniccommunications,aswellaswithrespecttochildren’sprivacy,backgroundinvestigationsand‘consumerreports’forcreditoremploymentpurposes,andcertainotherspecificareas.Statelawsaddnumerousadditionalprivacyrequirements.

LegalprotectionofprivacyincivilsocietyhasbeenrecognisedintheUScommonlawsince1890whenthearticle‘TheRighttoPrivacy’waspublishedintheHarvardLawReviewbyProfessorsSamuelDWarrenandLouisDBrandeis.Moreover,fromitsconceptionbyWarrenandBrandeis,theUSsystemforprotectingprivacyinthecommercialrealmhasbeenfocusedonaddressingtechnologicalinnovation.TheHarvard

1 AlanCharlesRaulisapartnerandTashaDManoranjanandVivekMohanareassociatesatSidleyAustinLLP.Passagesofthischapterwereoriginallypublishedin‘Privacyanddata

protectionintheUnitedStates’,TheDebateonprivacyandsecurityoverthenetwork:Regulationandmarkets,2012,FundaciónTelefónica;andRaulandMohan,‘TheStrengthoftheU.S.CommercialPrivacyRegime’,31March2014,amemorandumtotheBigDataStudyGroup,USOfficeofScienceandTechnologyPolicy.

UnitedStates

PAGE

269

professorsastutelynotedthat‘[r]ecentinventionsandbusinessmethodscallattentiontothenextstepwhichmustbetakenfortheprotectionoftheperson,andforsecuringtotheindividual[…]theright“tobeletalone”’.In1974,CongressenactedthefederalPrivacyAct,regulatinggovernmentdatabases,andfoundthat‘therighttoprivacyisapersonalandfundamentalrightprotectedbytheConstitutionoftheUnitedStates’.ItisgenerallyacknowledgedthattheUSPrivacyActrepresentedthefirstofficialembodimentofthefairinformationprinciplesandpracticesthathavebeenincorporatedinmanyotherdataprotectionregimes,includingtheEuropeanUnion’s1995DataProtectionDirective.

TheUShasalsoledthewayfortheworldnotonlyonestablishingmodellegaldataprotectionstandardsinthe1974PrivacyAct,butalsointermsofimposingaffirmativedatabreachnotificationandinformationsecurityrequirementsonprivateentitiesthatcollectorprocesspersonaldatafromconsumers,employeesandotherindividuals.ThestateofCaliforniawasthepathbreakerondatasecurityanddatabreachnotificationbyfirstrequiringin2003thatcompaniesnotifyindividualswhosepersonalinformationwascompromisedorimproperlyacquired.Sincethen,approximately47states,theDistrictofColumbiaandotherUSjurisdictions,andthefederalbanking,health-careandcommunicationsagencieshavealsorequiredcompaniestoprovidemandatorydatabreachnotificationtoaffectedindividuals,andimposedaffirmativeadministrative,technicalandphysicalsafeguardstoprotectthesecurityofsensitivepersonalinformation.Dozensofothermedicalandfinancialprivacylawsalsoexistinvariousstates.Thereis,however,nosingleomnibusfederalprivacylawintheUS.Moreover,thereisnodesignatedcentraldataprotectionauthorityintheUS,thoughtheFederalTradeCommission(FTC)hasessentiallyassumedthatroleforconsumerprivacy.TheFTCisindependentofthePresident,andisnotobliged(thoughitisencouraged)torespecttheAdministration’sperspectiveontheproperbalancebetweencostsandbenefitswithrespecttoprotectingdataprivacy.

AsintheEUandelsewhere,privacyanddataprotectionarebalancedintheUS

inaccordancewithotherrightsandintereststhatsocietiesneedtoprosperandflourish,namely,economicgrowthandefficiency,technologicalinnovation,propertyandfreespeechrightsand,ofcourse,thevaluesofpromotinghumandignityandpersonalautonomy.ThemostsignificantfactorincounterbalancingprivacyprotectionsintheUS,perhaps,istherighttofreedomofexpressionguaranteedbytheFirstAmendment.Preservingfreespeechrightsforeveryonecertainlyentailscomplicationsfora‘righttobeforgotten’sinceoneperson’sdesireforoblivionmayruncountertoanother’ssenseofnostalgia(orsomeotherdesiretomemorialisethepastforgoodorill).

TheFirstAmendmenthasalsobeeninterpretedtoprotectthepeople’srighttoknowinformationofpublicconcernorinterest,evenifittrenchestosomeextentonindividualprivacy.CompanieshavealsobeendeemedtohaveaFirstAmendmentrighttocommunicaterelativelyfreelywiththeircustomersbyexchanginginformationinbothdirections(subjecttotheinformationbeingtruthful,notmisleading,andotherwisenotthesubjectofanunfairordeceptivebusinesspractice).

ThedynamicandrobustsystemofprivacygovernanceintheUnitedStatesmarshalsthecombinedfocusandenforcementmuscleoftheUSFederalTradeCommission,stateattorneysgeneral,theFederalCommunicationsCommission,theSecuritiesandExchangeCommission,theConsumerFinancialProtectionBureau(andotherfinancialandbankingregulators),theDepartmentofHealthandHumanServices,

theDepartmentofEducation,thejudicialsystem,andlast–butcertainlynotleast–thehighlymotivatedandaggressiveUSplaintiffs’bar.Takentogether,thisenforcementecosystemhasproventobenimble,flexible,andeffectiveinadaptingtorapidlychangingtechnologicaldevelopmentsandpractices,respondingtoevolvingconsumerandcitizenexpectations,andservingasameaningfulagentofdeterrenceandaccountability.Indeed,theUSenforcementandlitigation-basedapproachappearstobeparticularlywellsuitedtodealwith‘recentinventionsandbusinessmethods’–namely,newtechnologiesandmodesofcommerce–thatposeeverchangingopportunitiesandunpredictableprivacychallenges.

THEYEARINREVIEW

AswithnearlyotherareaofrecentlegislativeactivityinWashington,Congresshasnotbeenabletoactonprivacy,consumerdatasecurity,databreachnotificationorcybersecuritylegislation.WhiletheAdministrationofPresidentObamahascalleduponCongresstoenacta‘ConsumerPrivacyBillofRights’andlegislationtohelpprotectcybersecurityfor‘criticalinfrastructure’,partisangridlock,aswellasconcernaboutover-regulatingtheprivatesector,hasstalledaction.Thecongressionalstalematewasconsiderablyshakenup,however,whenformerNationalSecurityAgency(NSA)contractorEdwardSnowdenleakedinformationregardingUSgovernmentsurveillanceprogrammestoTheGuardianandTheWashingtonPostinthesummerof2013.ThissparkedamediafrenzyaroundvariousNSAsurveillanceprogrammes.SomeoftheallegationsconcernedunauthorisedsurveillanceofUScitizensorforeignintelligencetargetswithintheUnitedStates,whileotherssuggestedwidespreadsurveillanceoutsidetheUS.

Asaresultofthesedisclosures,foreigngovernments,includingwithintheEuropeanUnion,expressedconcernregardingthebreadthofNSAsurveillanceoutsidetheUnitedStates.Forexample,theEUArticle29WorkingPartysentalettertoEUJusticeCommissionerVivianeRedingsuggestingapossibleinvestigationofviolationsbytheUSoftheEU’sdataprotectionrules.2

ThemediaandpoliticalfirestormsurroundingtheSnowdendisclosureshasledtheexecutivebranchtointroduceproposalsregardingNSAandcommercialdatacollectionprocesses.Inadditiontoitsproposalsforreformsofthegovernment’sbulkmetadatasurveillance,theWhiteHousehasalsoissuedreportsandrecommendationsfordatacollectionintheprivatebigdatasector.Followingcloselyonthis,on29MaytheFTCissuedamuchanticipatedreportonbigdatathatheavilycriticisedthelackoftransparencyinthedatabrokeringindustry,offeredrecommendationsforconsumercontrolofinformationandadvocatedforbroadlegislationthatwouldnotonlycreateobligationsforanalyticscompanies,butalsoforretailersthatmayprovidethemwithinformation.Significantly,however,thereportdoesnotsuggestthatanycurrentdatabrokerpracticesareillegalunderexistinglaw.

SeeJacobKohnstamm,ChairmanofEUArticle29WorkingParty,lettertoVivianeReding(13August2013),availableat

http://ec.europa.eu/justice/data-protection/article-29/

documentation/other-document/files/2013/20130813_letter_to_vp_reding_final_en.pdf.

Cybersecurityremainsahottopic,althoughexpectationsforcongressionalactionremainuncertain.Legislativeactioninthestatescontinues,withKentuckybecomingthe47thstatetohavepasseddatabreachnotificationlegislation.Severalstateshavealsoamendedexistinglawstoexpandbreachobligations.

FTCactions

TheFTCannouncedon21January2014thatithadenteredintono-faultconsentorderswith12companiesthatallegedlyclaimedtheywereincompliancewiththeUS–EUandUS–SwitzerlandSafeHarborprogrammeswheninfacttheircertificationshadlapsed.Theagreementcoversseverallargebusinesses,includingthreeNFLfootballteamsandLevel3CommunicationsLLC,oneofthelargestinternetserviceprovidersintheworld.TheSafeHarborprogrammerequirescompaniestoannuallyre-certifytheircompliancewiththeSafeHarborframework.TheFTCchargedthatbyincludingstatementsint

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论