The third quarter is typically one of the quieter ones, encompassing the last two months of summer and then, the invariable return to work and school.
But for privacy, Q3 2015 was actually one of the more active quarters of the year with developments that impacted both the advertising ecosystem in general and privacy in particular.
Here’s a spotlight on three of the main developments that we’ve been tracking closely.
The FTC had a significant win when the Third Circuit affirmed their right to regulate “data security” in the agency’s long standing case against Wyndham Hotels. Now the case has been remanded to see whether or not Wyndham adopted “reasonable” data security practices after being breached repeatedly by Russian hackers. Check out my recent blog post for more details.
The FTC also continued its scrutiny of companies who claim to be part of the US-EU or US-Swiss Safe Harbor frameworks for transferring personal data from the EU to the US. The agency filed consent decrees against thirteen companies who either let their Safe Harbor certifications lapse or misrepresented their Safe Harbor status altogether.
After actions in January and April of this year, the total number of Safe Harbor cases filed by the FTC now stands at 27 (for a total of 39 enforcement actions altogether). How many Safe Harbor cases have been filed by EU regulators? Zero. And yet, EU regulators have been challenging the validity of the Safe Harbor. In fact, just last week, an Advocate General for the EU’s Court of Justice declared the Safe Harbor invalid for transfers of personal data from the EU to the US. More, in our Safe Harbor recap later on in this update.
FCC emerges as another Enforcer to Watch
Under the leadership of Chairman Tom Wheeler, the FCC has emerged as a dynamic (and sometimes feared) regulator – one that is clearly competing with the FTC on several consumer protection and data privacy enforcement issues. Case in point: the FCC’s enforcement chief Travis LeBlanc (formerly chief of the consumer protection division at the California Attorney General’s office), has brought in nearly $500 million in fines this year alone, including a $100 million fine against AT&T for misrepresenting the “unlimited” nature of its data plans.
In past months, we’ve also seen discussion about the FCC’s attempts to reclassify “edge” providers as common carriers subject to FCC rules, including the agency’s privacy rules. Edge providers include companies that offer online services and content, track user activity, and collect personal information. Most notably, this group could include companies Apple, Google, and Facebook; it could also potentially include SAAS-based, B2B providers like TUNE. This should make for an interesting few months as the FCC attempts to push their regulatory agenda through this Fall. Some of the supposed edge providers are already on record with their objections – take a look at Google’s February 2015 FCC filing arguing among, other things, that edge providers should not be classified as common carriers or ISPs because they, just like end users, rely on ISPs for “interconnection”.
And back to the Safe Harbor – which remains the primary way that many US companies (including TUNE), transfer personal data compliantly between the EU and the US.
Last week, the Advocate General to the European Court of Justice (“ECJ”) issued an opinion stating that the Safe Harbor was “invalid” when it came to transfers of data from the US to the EU – primarily because of the US Government’s “mass and indiscriminate surveillance and interception” of personal data belonging to EU citizens. The opinion made no mention of surveillance by EU and other foreign governments – which Snowden has also revealed.
In response, Tony Gardner (US Ambassador to the EU) issued this statement taking issue with the Advocate General’s opinion and emphasizing:
“The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.”
Gardner also reminded the Advocate General and other Safe Harbor detractors that PRISM was actually directed against foreign intelligence targets, and is subject to some form of process. He also cited recent positive developments, such as the Judicial Redress Act of 2015, currently in Congress, which would provide a private right of action to EU citizens seeking damages against US companies in US courts, for privacy violations.
It’s unclear to what extent the Advocate General’s opinion will influence the ECJ which is currently considering the case of Schrems v. Facebook. Austrian citizen Max Schrems is suing Facebook over its privacy practices – including Facebook’s reliance on the Safe Harbor for transfers of data from the EU to the US. That decision is expected Oct. 6th. You can learn more about the details of the Advocate General’s Opinion and it’s potential impact on the Schrems v. Facebook case, in this article.
For now, the Advocate General’s opinion has clearly thrown a wrench into current negotiations between the EU and the US on the Safe Harbor (earlier this month, both parties were predicting that a resolution was imminent). Of most concern, is the opinion’s reasoning that individual EU data protection authorities have “the power to order the suspension of the transfer of data where there is a proven breach or a risk of a breach of fundamental rights”. This means that individual EU data protection regulators can, in certain instances, block transfers of data from the EU to the US. It’s unclear how this will play out; prior to the opinion, there was no basis for an individual EU country to unilaterally pull out of what is essentially an international treaty between the EU and the US.
With these developments in play, Q4 is shaping up to be a particularly pivotal one for privacy and data protection on both sides of the Atlantic. The ECJ’s decision on Schrems v. Facebook is expected October 6th (and with it, the fate of the Safe Harbor). There will be hearings on the FCC’s attempts to reclassify edge providers as “common carriers”. A vote is expected on the Cybersecurity Information Sharing Act (CISA) sometime in October. And, on November 16th, the FTC will hold an important workshop in Washington DC, on cross-device tracking.
We’ll be monitoring these developments closely and look forward to recapping and rehashing in our Q4 update and subsequent newsletters.
Like this article? Sign up for our blog digest emails.
Becky is the Senior Content Marketing Manager at TUNE. Before TUNE, she led a variety of marketing and communications projects at San Francisco startups. Becky received her bachelor's degree in English from Wake Forest University. After living nearly a decade in San Francisco and Seattle, she has returned to her home of Charleston, SC, where you can find her enjoying the sun and salt water with her family.