Navigating The Privacy Maze In The U.S. And Abroad

Editor: Please describe the privacy conference in Washington that took place May 5-6 and your role.

Eleftheriou: The privacy conference was co-sponsored by the ABA Section of International Law and the International Young Lawyers Association. I have leadership roles in both organizations and was actively involved in planning and conducting the conference, which was titled "Data Protection & Security: A Transnational Discussion."

Speakers from the U.S. included representatives of the Federal Trade Commission and the Department of Commerce. Also in attendance was the Privacy Commissioner of Canada, Jennifer Stoddart, our luncheon speaker, and speakers from the EU, South America and India. Our keynote speaker was Dr. Spiros Simitis, one of the leading authorities on data protection in the EU. He is sometimes referred to as the "father" of the EU Data Protection Directive. Attendees came from 13 countries.

The conference covered a broad range of privacy topics, including the cross-border transfer of personal data, data protection and security in the U.S. and abroad, outsourcing, and RFID. Conference materials may be purchased from AIJA ( ).

Given the tremendous amount of positive feedback we received about the conference, we may do this again, perhaps in Europe - stay tuned.

Editor: Give us some idea of the magnitude of the security breach problem and the steps being taken in the U.S. to address the problem.

Eleftheriou: We continue to see a growing number of reported data security breach incidents in the U.S. They involve such things as hacking, stolen or missing computers and backup tapes, inside jobs and stolen passwords. According to one source, approximately 85 million accounts have been compromised since the ChoicePoint incident in February 2005. As you may know, ChoicePoint notified consumers of its data security breach pursuant to a pioneering California data security breach notification law. Since then, at least 30 states have enacted data security notification legislation, and expect more states to follow. This is not good for businesses, since they are confronted with an increasing number of inconsistent security breach notification laws; for example, businesses are confronted with different requirements regarding who and when to notify in the event there is a data security breach.

There is no federal security breach notification law, but several bills addressing this issue are pending in Congress. It is unclear whether we will see a federal law this year, although there has been a renewed interest for a federal requirement as a result of a major data security breach recently experienced by the Department of Veteran's Affairs. The VA reported that the personal data of over 26 million veterans had been stolen.

Financial institutions should be aware that last year certain federal agencies jointly issued an interagency guidance on response programs for unauthorized access to customer data and providing notice - the guidance is available on ( ). FTC also issued a guidance document on information compromise and notification, available on (

Editor: What types of government enforcement action are we seeing as a result of data security breaches?

Eleftheriou: The FTC has challenged the data security practices of several companies as deceptive - i.e. , misrepresenting data security practices; and unfair - i.e ., not having reasonable security measures in place.

For example, earlier this year, ChoicePoint settled with the FTC by agreeing to pay $15 million dollars, consisting of $10 million in civil penalties (the largest civil penalty in FTC history) and $5 million in consumer redress, to settle charges that its security practices violated consumer privacy rights and federal law. Under the settlement, ChoicePoint is required to implement a comprehensive information security program and to obtain audits by an independent third party every two years for twenty years. CardSystems Solutions also settled with the FTC with respect to charges that it had engaged in unfair practices by failing to take appropriate security measures to protect sensitive data. Like the ChoicePoint settlement, CardSystems is required to implement a comprehensive data security program and to obtain third party audits biennially.

The FTC's thirteenth case challenging faulty data security practices was settled in May of this year. It involved a title company that had promised to maintain physical, electronic and procedural safeguards to protect consumer financial information. The FTC charged the company with failing to provide reasonable and appropriate security measures to protect personal data in violation of federal law. Expect to see more cases like these in the future.

The important issue here is to what extent are there actual damages - for example, identity theft - resulting from breaches in data security. According to one study, only one in a thousand compromised accounts are in fact used fraudulently. According to the FTC, at least 800 cases of identity theft arose out of the ChoicePoint incident, which affected more than 163,000 consumers.

Editor: How does the European Union address data privacy and security?

Eleftheriou: The EU has adopted privacy legislation (the EU Data Protection Directive) that establishes comprehensive principles addressing the collection, use, disclosure and security of personal data. Of course, when you are dealing with the EU, you are dealing with 25 (and soon to be 27) EU Member States and their implementing laws, which are inconsistent with one another. Article 17 of the Directive requires the safeguarding of personal data - for example, companies must implement appropriate technical and organizational measures to protect personal data. The Directive, however, does not specifically require notification in the event there is a security breach. To my knowledge, only the U.S. and Japan have laws that specifically require security breach notification.

For those interested in learning more about the Directive, there is a fantastic guide on the Directive on (

Editor: Can we expect to see global harmonization of privacy laws?

Eleftheriou: There is certainly a growing interest in harmonizing privacy principles on a global level. For example, last year at an international privacy conference in Switzerland, privacy commissioners from around the world called for the harmonization of privacy principles. They will review the harmonization issue again at their next meeting in Argentina later this year. I think it is possible for countries to adopt harmonized privacy principles, but, as in the case of the EU Data Protection Directive, incorporating those principles into national legislation with minimal inconsistencies will be the greatest challenge. Global privacy harmonization would also have to take the form of a treaty, as opposed to non-binding cooperative arrangements ( i.e., the APEC Privacy Framework), which may not be sufficient to compel participating countries to implement harmonized principles.

Editor: In addition to harmonization, what are some of the other "hot" international privacy issues?

Eleftheriou: Cross-border transfers is a significant issue, particularly between EU Member States and other countries. Article 25 of the EU Data Protection Directive (the most controversial provision of the Directive) generally prohibits the transfer of personal data to any country that does not provide "adequate" privacy protection. There is a short list of countries that are deemed by the EU to provide adequate privacy protection, but the U.S. is not on this list.

There are, of course, alternative means to satisfying this adequacy requirement, including participating in the Safe Harbor, obtaining consent from the data subject (although this is less of an option in light of a recent paper by the Article 29 Working Party (WP 114), the European Commission's advisory board on data protection, and a bit tricky in employment contexts), through the use of ad hoc contracts or EU-approved model clauses, and the use of binding corporate rules. BCRs are sets of binding and enforceable standards (internal "law") adopted by a company or corporate group that provide legally-binding protections for data processing within the company or corporate group. Although BCRs have not been a popular option, expect to see more companies using BCRs and more EU Member States endorsing them.

Note that critics of this "adequacy" standard are pushing for the global recognition of an alternative "accountability" standard for cross-border transfers (followed by the APEC Privacy Framework) - cross-border transfers are allowed, but the transferor remains responsible for the transferred data.

Of course, we also have the conflict between Sarbanes-Oxley's whistleblowing reporting requirement and EU Member State laws. Last year, the French CNIL (the French data protection agency) and the German Labor Court found that anonymous employee whistleblowing hotlines without certain safeguards are unlawful. The good news is that the CNIL issued guidelines and FAQs on implementing whistleblowing systems, which are available on the CNIL site ( ). Also, the Article 29 Working Party recently adopted a working paper (WP 117) on whistleblowing compliance that provides how the Data Protection Directive should be applied in this context, which is available on ( home/fsj/privacy/workinggroup/index_en.htm ). Note also that, earlier this year, the First Circuit found that Congress did not intend for the SOX whistleblowing protection provision (Section 806) to apply extraterritorially.

The transfer of airline passenger data from the EU to the U.S. is another important issue. Since 2004, airlines in the EU have been sharing the personal details of those passengers flying to the U.S. with the U.S. Airlines are required to share the personal data of each passenger within 15 minutes of departure for the U.S.. Recently, the European Court of Justice - the EU's highest court - ruled that these transfers are illegal. The ECJ gave the EU until September 30 to find an alternative solution to transfer the data.

Data retention is another major issue. Last year, the EU approved rules requiring all telecom providers and ISPs to retain telephone and Internet traffic (all customer phone calls and electronic communications, but not the content of such communications) for up to 2 years. Note that, in the U.S., the Attorney General and the FBI Director have been urging ISPs to retain nonpersonal customer data ( e.g ., searches, Web surfing habits, etc.) for 2 years, which could be used in terrorism and child pornography investigations.

Editor: Do you foresee a comprehensive U.S. federal privacy law?

Eleftheriou: Yes, it's inevitable. Can anyone argue that our current "band-aid" (or sectoral) approach to data protection is better than a comprehensive federal privacy law?

Editor: Any final thoughts or suggestions on data privacy or security?

Eleftheriou: Businesses should ensure that their data collection, use, disclosure and security practices are consistent with the representations made in their privacy policies - this cannot be emphasized enough.

Do not panic if you experience a data security breach; this does not necessarily mean that you failed to implement reasonable and appropriate measures to secure your customers' personal data. However, entities that have not experienced a data security breach should not assume that they will not get a knock on the door from the government. Those entities that are looking for guidance on what is generally considered reasonable data security measures should take a look at the FTC's GLBA Safeguards Rule.

Expect to see an increasing number of government requests for customer information - personal and nonpersonal. Appropriate management and disclosure measures on how to cooperate with government investigations should be in place.

Published July 1, 2006.