In the past few years, there has been a dramatic increase in the number of laws, rules and regulations applicable to the collection, use and transfer of personally-identifiable information via the Internet. At the same time, governmental authorities have been demonstrating a new level of commitment to investigating and prosecuting privacy violations.
Furthermore, consumers have become educated about their privacy rights and the means at their disposal, including private lawsuits, for enforcing such rights. Adding to this already complex mix is the fact that the Internet is a global medium and many different countries are attempting to regulate it at the same time. By accepting customers from different countries, Web site operators are opening themselves up to the potential application of foreign law to their activities.
PROVIDE ADEQUATE SECURITY
One of the most important steps to take when attempting to manage the risks of privacy violations is to provide adequate security to personal information.
In the Internet age, security and privacy have become increasingly interrelated and it has become impossible to provide accurate guarantees regarding maintaining the privacy of personal information without addressing the security measures that will be used to protect such information.
Furthermore, a number of privacy laws � including the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act and the European Community’s Directive 95/46/EC (commonly known as the “Data Protection Directive”) � contain specific data-security requirements.
The significance of data security has been confirmed with a number of prominent cases. In one of the most recent of these cases, Microsoft entered into an agreement with the Federal Trade Commission to settle FTC charges that Microsoft had provided false security and privacy promises when operating its “Passport” Web services.
The privacy policies for such Web services contained statements such as: “Passport achieves a high level of Web security by using technologies and systems designed to prevent unauthorized access to your personal information” and “Your Passport is protected by powerful online security and a strict privacy policy.”
Following a July 2001 complaint from a coalition of consumer and privacy groups, the FTC commenced an investigation of Microsoft’s practices, which culminated in a complaint in which the FTC alleged that Microsoft falsely represented that:
� it employs reasonable and appropriate measures under the circumstances to maintain and protect privacy and confidentiality of consumers;
� purchases made with the Passport Wallet service are generally safe or more secure than purchases made at the same site without Passport Wallet; and
� Passport did not collect any personally identifiable information other than that which was described in the Privacy Policy.
As part of the settlement, Microsoft was required to implement and maintain a comprehensive information security program. Furthermore, every two years Microsoft will be required to have its security program certified by an independent examiner as meeting or exceeding the standards specified in the consent order.
Although notable in its own right, the Microsoft case is only the most recent in a slew of similar cases. A number of other organizations have struck similar agreements with the FTC, and an even greater number of entities have had their security practices � and the guarantees made about such practices � called into question by governmental authorities both in the United States and abroad.
UNREALISTIC RESTRICTIVENESS
Although the cases outlined in the previous section highlight the importance of implementing adequate measures to protect the security of personal data, they also illustrate that it is necessary to avoid making unrealistic privacy guarantees. Above all, a privacy policy must be an accurate description of the practices of an entity and entities may face very serious consequences if they use or transfer personal data in a manner that violates their stated privacy policy.
Many Web site privacy policies, for example, contain a very clear statement informing users that their information will never be transferred, sold or disclosed to third parties for any reason. Although such a statement may help to bolster individual confidence when disclosing personal data, many companies may not be able to honor that pledge. In some circumstances an entity may desire or be required to transfer personal data to third parties. Unless such potential transfers are disclosed in the privacy policy, the entity may be prohibited from engaging in them.
In July 2000, the FTC commenced an enforcement action against bankrupt e-tailer Toysmart.com, LLC and Toysmart.com, Inc.
The FTC was alerted when, in conjunction with its dissolution, Toysmart attempted to sell personal data collected via the Internet, even though its privacy policy assured customers that the information that was collected from them would never be shared with third parties.
On May 22, 2000, Toysmart announced that it was closing its operations and selling its assets. Despite the assurances in Toysmart’s privacy policy, it offered personal data collected via its Web site as part of the assets it was selling.
The FTC initiated an enforcement action against Toysmart, charging that it had misrepresented to customers that personal data would never be shared with third parties and had disclosed sold and offered for sale that information.
This action eventually ended in a settlement in July 2000, whereby Toysmart was prohibited from selling its customer list as a stand-alone asset. The settlement permitted Toysmart to sell such customer lists containing personal data only (1) as part of a package that included the entire Web site; (2) to an entity that was in a related market; and (3) to an entity that expressly agreed to be Toysmart’s successor-in-interest as to the personal data.
Under the terms of the settlement, the buyer of Toysmart’s assets would have to agree to abide by Toysmart’s privacy policy and to obtain the affirmative consent (opt-in) of the data subjects prior to using their personal data in any manner that was inconsistent with Toysmart’s original privacy policy.
For Toysmart, as well as for many other companies, customer information is a major asset. By adopting a very restrictive privacy policy, Toysmart effectively limited its business plan and was not able to use one of its primary assets as it had intended.
OUTSIDE THE UNITED STATES
In addition to domestic enforcement and private lawsuits, Web site operators based in the United States should also consider the potential application of the data privacy laws of other countries.
A number of jurisdictions including, notably, the European Community, have data privacy laws that are more stringent than those in the United States. Such laws can become relevant to U.S. companies in a variety of scenarios, including when U.S. Web site operators collect personal information from individuals based in other countries, or attempt to receive transfers of personal information from subsidiaries based in other countries.
The European Community’s Data Protection Directive establishes several restrictions on the collection, use and disclosure of personal data. Among the most controversial provisions of this Directive is Chapter IV, which governs transfers of personal data. Specifically, Article 25(1) compels European Union member states to prohibit transfers of personal data to other countries unless the country in question provides adequate protection to personal data.
Currently, only a few countries have been designated by European officials as providing adequate protection to personal data, and the United States is not among them.
Some U.S. companies have already experienced difficulties with European regulators in this area. For example, back in 1995, the Swedish Data Inspection Board ruled that American Airlines, Inc. was prohibited from transferring personal data on Swedish passengers to the United States for processing using its SABRE travel information network.
The Swedish Data Inspection Board decision to block American Airlines’s transfer of personal data to the United States was based on the fact that the United States had not acceded to the Council of Europe Convention for the Protection of Individuals with regard to automatic processing of personal data, and thus failed to provide adequate protection to personal data. In addition, American Airlines proposed to transfer sensitive personal data, including data on religious beliefs (for the purpose of honoring special meal requests) and disability (for the purpose of providing assistance at the airport). Under Swedish law, such sensitive personal data can only be processed with the individual’s informed consent.
American Airlines’s experiences in Sweden reinforce the fact that American companies risk having their flows of personal data from Europe disrupted by European privacy regulators. All entities receiving personal data from individuals in Europe, even entities based solely in the United States, should take steps to comply with the requirements of the data protection directive and other applicable privacy laws.
IMPLEMENTATION IS KEY
When implementing privacy policies and procedures company-wide, it is essential to ensure that actual practices are consistent with stated policies. Although much emphasis has been placed on privacy policies for Web sites, privacy policies must actually be developed and implemented throughout the entire organization. If a company has different on-line and off-line privacy policies, this should be clearly stated in the privacy policies.
Although policy implementation will vary from company to company, every company should:
� analyze all collection, use and transfer of personal data;
� use input from all key constituencies, and develop privacy policies to apply to on-line and off-line collection of personal data;
� institutionalize the policy;
� review and revise key agreements;
� implement and test technical security measures;
� conduct initial and ongoing training; and
� monitor the regulatory framework and implement subsequent changes accordingly.
From time to time, it will be necessary or desirable to transfer personal data to third parties for specific limited reasons or even for other, more general purposes. In such cases, the transferring party should ensure that its agreement with the receiving party places limitations on the ability of such party to use, transfer or maintain the personal data. It will also be important to ensure that the receiving party implements technical and organizational measures to protect all transferred personal data.
Web site users must have actual notice of the contents of the privacy policy. Privacy policies for e-commerce Web sites should be presented clearly and conspicuously on the site. It is recommended that a link to the privacy policy appear prominently on every page of the Web site, particularly on pages on which personal information is collected.
Further, every form that collects persona data should contain a statement compelling the user to acknowledge that he or she has read and reviewed the privacy policy prior to being permitted to submit personal data to the Web site.
In the current environment, the consequences of committing privacy violations can be quite severe. Accordingly, it is extremely important that that the development and implementation of privacy policies be afforded proper attention and concern.
Dillon is a partner at Goodwin Procter of Boston. Hildebrand is a partner and Klosek is an associate at the firm’s Roseland office. All are members of the firm’s intellectual property-technology practice area, which is chaired by Hildebrand. Klosek is the author of Data Privacy in the Information Age (Greenwood Publishing 2000), a book concerning data privacy in the European Union and the United States.