In June, VIP announced that it would be discontinuing the program due to its inability to “negotiate a settlement” with its creditor.  At the time, VIP assured its customers that “[t]he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”

Despite this assurance from VIP, many customers expressed concern over the handling of the personal data they had provided to CLEAR.  In addition, customers objected to VIP's statement that it would not issue refunds to customers, some of whom had paid in advance for years of service.

A week after VIP’s announcement of its discontinuation of the program, CLEAR customers brought a putative class action against VIP in the Southern District of New York.  As amended, plaintiffs’ claims include breach of contract, negligence, and unjust enrichment.  Plaintiffs also sought a preliminary injunction,  explaining that "VIP’s cessation of the CLEAR program and other factors indicate a significant risk that the confidential information of Plaintiffs . . . will be compromised.”  Plaintiffs expressed concern that VIP would not honor its contractual obligation not to disclose or sell its customers’ data. In the same motion, plaintiffs also sought an order requiring the preservation of evidence.

Judge Holwell agreed, and issued an order enjoining VIP from 1) selling any confidential information obtained from Clear members of applicants, 2) disclosing any such information to any other entity, and 3) maintaining or storing information in a manner that permits disclosure of the information.   Judge Holwell also ordered that VIP take all necessary steps to preserve evidence relevant to the case. As news outlets have reported, however, VIP’s lawyers may challenge the order on the grounds that the judge failed to give them an opportunity to respond to plaintiff’s motion.

Regardless of whether this particular order remains in place, the controversy surrounding VIP’s cessation of CLEAR service underscores the security and privacy issues that arise when companies entrusted with customers’ personal information are no longer financial viable.  

Links:

• Order enjoining VIP (.pdf)
• VIP announcement: discontinuation of Clear program
• ComputerWorld article reporting on discontinuation of Clear
• Plaintiffs' Amended Complaint (.pdf)
• Plaintiffs' Motion for Preliminary Injunction (.pdf)
• Plaintiffs' Memorandum of Law in Support of Preliminary Injunction (/.
• ComputerWorld article reporting on preliminary injunction
  

Last month, Facebook announced plans to simplify its users' ability to control privacy settings. Facebook will standardize privacy settings, remove overlapping settings, and put all settings on the same page. In an effort to give users more control over how their information is shared, Facebook will allow users to decide, on a post-by-post basis, with whom to share their content. Users will have the option of sharing their posts with: 1) only specific friends, 2) all friends, 3) friends and people in the user’s network, 4) friends of friends, or 5) everyone. According to media reports, the "everyone" option will soon expand to include anyone on the internet – a move widely seen as an attempt to compete with Twitter. Facebook will launch a Transition Tool that will prompt users to set their level of sharing, and will carry over previous privacy settings.  

The announcement carefully explained that the changes would not affect the information Facebook provides to its advertisers – a topic related to the controversy earlier this year surrounding proposed revisions to the Facebook terms of service.  Instead, Facebook will continue to provide advertisers with only that information that users have authorized.

 With the changes, Facebook will provide users with more options for controlling access to their content.  As one might predict given the current climate favoring increased user control over privacy, Facebook's proposed changes have largely been well received. Only time will tell whether most users will exercise this control to share their data or whether they will favor keeping their information private.

Links:

• Facebook blog announcement
• PC World Article
• Previous post

The subcommittees heard testimony from the following witnesses:

• Edward W. Felton, Professor of Computer Science and Public Affairs at Princeton University
• Anne Toth, Vice President of Policy and Head of Privacy, Yahoo! Inc.
• Nicole Wong, Deputy General Counsel, Google Inc.
• Christopher Kelly, Chief Privacy Officer, Facebook
• Jeff Chester, Executive Director, Center for Digital Democracy
• Charles Curran, Executive Director, Network Advertising Initiative
• Scott Cleland, President, Precursor LLC

Committee members' questions focused on issues that would be important to drafting legislation.  For example, several members asked about the benefits of opt-in as opposed to opt-out requirements.  Opt-in and opt-out are two schemes for allowing consumers an option as to whether to participate in targeted advertising.  Opt-out requires consumers to affirmatively seek out the company's policy and elect not to participate, while opt-in would require companies to affirmatively notify consumers of their privacy policies and obtain permission before using consumers' data.  After hearing from witnesses from Google and Yahoo about their opt-out programs, Chairman Rush asked exactly what consumers "opt-out" of, inquiring whether opt-out ensures that a consumers data will not be collected, or whether opt-out means that a consumer will not see targeted ads.  Both witnesses explained "opt-out" allows users to exclude themselves from targeted advertising, but not data collection. 

Committee members also focused attention other issues that would be important to the drafting of legislation, including the treatment of personally identifiable and sensitive information, and whether the Federal Trade Commission (FTC) or the Federal Communications Commission (FCC) should be given jurisdiction over new legislation.  Consistent with the FTC Chairman's recent questioning of the adequacy of existing industry self-regulation, reported here, members also inquired about whether self-regulation can be effective without an enforcement mechanism and whether industry audits would advance privacy interests.

At TOSBack, users can click on one of over two dozen organizations to identify changes to the organization’s terms of service and/or privacy policies. TOSBack allows users to compare new and older versions of those policies, with a side-by-side view that shows additions and deletions to the policies. Users can also subscribe to an RSS feed that will alert them to new changes in the policies. TOSBack will undoubtedly help consumers identify changes that have been made to the policies of websites they visit. Nevertheless, because TOSBack exhaustively documents all changes to the policies it tracks, some users may find themselves spending considerable time sifting through immaterial changes.

These comments echo a concurring statement Leibowitz issued with a recent FTC staff report on self-regulation of behavioral advertising.  In November 2007, the FTC held a public town hall meeting to discuss behavioral advertising. Then, in December 2007, it issued a report identifying “possible self-regulatory principles” for behavioral advertising. Specifically, the FTC identified the following principles to guide self-regulatory efforts by the industry:

• transparency/consumer control;
• reasonable security and limited data retention for consumer data;
• affirmative, express consent for material changes to existing privacy promises;
• affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising;

Finally, the report also issued a call for additional information regarding using tracking data for purposes other than behavioral advertising. In February 2009, the FTC issued a follow-up report, Self-Regulatory Principles for Online Behavioral Advertising, advancing the same principles with some clarification.  For example, while the first two principles remain unchanged, the FTC staff clarified that express consent for material changes is only suggested for changes that affect information already collected.  The report also clarifies that the principles apply to "any data collected for online behavioral advertising that could reasonably be associated with a particular consumer or a particular computer or device. The report continues to urge the industry to obtain consent before using sensitive data -- such as financial or health information -- for advertising.  Leibowitz issued a concurring statement to the report, in which he emphasized that "the Report's endorsement of self-regulation" should be "viewed neither as a regulatory retreat by the Agency nor an imprimatur for curent business practice." He stated that "[i]ndustry need to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our Commission."  Leibowitz also cautioned that the FTc "will go after" all companies that fail to keep their promises about they they will use consumers' information.  He concluded by warning that "[a] day of reckoning may be fast approaching."

It is unclear why the FTC has encouraged self-regulation in this area, as opposed to pursuing direct regulation. While the industry remains officially unregulated, Leibowitz's recent comments encouraging the use of "opt-in" procedures suggest that he may be attempting to accomplish an increasingly specific regulatory agenda through “self-regulation.”  It remains to be seen whether the FTC will continue to encourage the industry to adopt the standards the FTC would like to see, or whether, as Leibowitz has predicted, Congress or the FTC will adopt a more regulatory approach.

Links:

• Reuters article
• C-Span interview
• FTC's December 2007 report
• FTC's February 2009 report
• Chairman Leibowitz's concurring statement

The legislation has been referred to committee in the House and Senate. 

Links:

• The Internet SAFETY Act of 2009
• The annoucement from Senator Cornyn's office
• A National Journal article on the bill 
• The EFF comment

The Working Party concludes that the proposed clauses adequately ensure that sub processing operations maintain the same level of protection reflected in the standard contractual clauses. At the same time, exporters are advised to keep a list of processors and sub processors in the contractual chain, and data protection authorities are encouraged to audit data importers and sub processors.  The Working Party also recommends that the law of the data exporter’s state apply to sub processing contracts. 

There is some debate as to whether all of Working Party's proposals are feasible.  For example, Hunton and Williams, which has been involved in the International Chamber of Commerce's efforts to update the standard contractual clauses, has questioned the viability of audits of sub-processors located outside the EU, as well as the workability of applying the law of the data controller's country to agreements between processors and sub-processors.

The Draft Commission decision is not yet public.  According to a BNA article, the decision will now move to the Article 31 Committee of member state representatives.  8 PVLR 457. If the Article 31 Committee supports the proposal, it will move to the European Parliament, which will have 30 days to examine it and issue a recommendation before the decision is adopted.

Links:

•  Opinion 3/2009 on the Draft Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC is available here.

Under Article 7, a member state may process personal data only if one of six identified grounds for processing applies. The Working Document considers the Article 7 grounds most likely to supply a legitimate basis for compliance with a discovery request – namely 1) consent, 2) necessary for compliance with a legal obligation, and 3) necessary for the purposes of a legitimate interest, where such interests are not "overridden by the interests for fundamental rights and freedoms of the data subject."  Recognizing that the "interests of justice would be served by not unnecessarily limiting the ability of an organisation to act to promote or defend a legal right," the Working Document suggests that the third basis - necessary for the purposes of a legitimate interest - will often provide a ground for processing data in response to a U.S. discovery request. 

In addition to advising controllers on the identification of a proper basis for processing, the Document  reminds controllers that when sensitive personal data is involved, they must identify a proper basis for processing that data in accordance with Article 8.  Finally, data controllers are reminded to: 1) take appropriate steps to ensure that discovery is limited to that which is objectively relevant to the issues being litigated; 2) ensure transparency by informing those whose data is shared, unless there is a substantial risk that such notification would jeopardize the investigation; and 3) protect data subjects' rights of access and rectification by seeking protective orders, and 4) take steps to preserve the security of the data – an obligation that extends to law firms, experts, and others with whom the data is shared. 

While the Working Document offers advice to member jurisdictions, the Working Party was also careful to note that "resolving the issues of pre-trial discovery is beyond the scope of an Opinion by the working party and . . . these matters can only be resolved on a governmental basis."  Although the Working Document applies only in EU member jurisdictions, it serves as a reminder that entities involved in litigation must be mindful of fundamental information security concerns that could limit discovery during litigation – a proposition that is increasingly recognized by U.S. Courts and institutions as well. 

Links:

• The Working Document 1-2009 is available here (.pdf) or from the European Commission website here (.pdf)
• Directive 95/49/EC is available here (.pdf) or from the European Commission website here (.pdf, Part 1) and here (.pdf, Part 2)