Antitrust, Vol. 26, No. 3, Summer 2012. 2012 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may notbe copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
B Y C H R I S T O P H E R W O L F A N D W I N S T O N M A X W E L L
TECHNOLOGICAL ADVANCEMENTS social media, and Cloud computing cross national borders,
have made it easier and more cost effective for
allowing data to be transmitted to any location in the world.
businesses to collect, use, share, and store vast
As such, the privacy problem is not restricted to any one juris-
amounts of personal information about con-
diction. Indeed, the wonder of modern technology is the
sumers and employees alike. As a result, priva-
ability of people to access information and entertainment
cy is becoming an ever-important issue for businesses of all
from virtually anywhere, and to send information globally.
types and sizes. The media increasingly are turning their
Thus, one would expect nations of the world to focus on a
attention to privacy-related issues, raising the stakes for busi-
global standard of protection, and to harmonize existing
nesses that maintain personal information, as one instance of
mishandling personal information could harm the public’s
In that connection, at a recent conference held simulta-
perception of a business. There are almost daily headlines
neously in Washington and in Brussels, the EU Commis -
about privacy abuses and mistakes. The continuing, Pulitzer
sioner for Justice, Fundamental Rights and Citizenship and
Prize-nominated, Wall Street Journal series entitled “What
the U.S. Secretary of Commerce issued a joint statement
They Know” has focused national and international attention
declaring that “[t]his is a defining moment for global personal
on the often-undisclosed uses of Internet tracking technolo-
data protection and privacy policy and for achieving further
gy to collect and share consumer information obtained from
interoperability of our systems on a high level of protec-
computers and mobile devices.1 Thus, it is not surprising
that policymakers around the world are re-examining the
One basis for the hoped-for interoperability is the wide
legal framework that regulates the collection, use, sharing,
agreement around the world, as there has been for decades,
and storing of personal information—making more robust
on the basics of what it means to protect privacy in an infor-
the protections afforded to such information, and increasing
mation age. The so-called “Fair Information Practice Prin -
ciples,” or “FIPPs,” focus on empowerment of people to con-
The privacy frameworks recently proposed by the Euro -
trol their personal information and on safeguards to ensure
pean Commission, the White House, and the FTC seek
adequate data security.3 FIPPs form the core of the 1980
more protection of individuals, and are founded on the same
OECD privacy guidelines on which both the U.S. and
underlying principles of fairness. However, despite a common
European models are based, and that were adopted “to har-
foundation, the privacy regimes from opposite sides of the
monise national privacy legislation and, while upholding [ ]
Atlantic exhibit fundamental differences in approach and
human rights, [ ] prevent interruptions in international flows
The Global Nature of Privacy The Targeted Approach to Privacy in the
As a result of the ubiquitous nature of the Internet, data
United States
rarely stays in only one jurisdiction. Rather, the Internet,
Historically, the EU and United States have taken divergentapproaches to implementing the FIPPs. In the United States,
C hrist opher Wolf is a par tn er in H ogan Lov el ls US LL P, resident in
where privacy interests are balanced with the right to free
Washington, DC, where he leads the global Privacy and Information
expression and commerce, and where the legal framework
Management practice. Winston Maxwell is a par tner in the Paris office of
assumes that—as a practical matter—not every piece of per-
Hogan Lovells Int’l LLP, where he focuses on data protection, technology,
sonal information can be protected and policed, the frame-
media, and telecoms. The authors acknowledge with thanks the assistance
work provides the highest levels of protection for sensitive
of their Hogan Lovells colleague Steve Spagnolo in the preparation of this
personal information, such as financial, health, and chil-
dren’s data. For example, the Gramm-Leach-Bliley (GLB)
Act regulates how financial institutions collect, disclose, share,
ing programs in place within businesses to provide physical,
and protect personally identifiable financial information.5
administrative, and technical protections for personal data,
The Health Insurance Portability and Accountability Act
and to ensure that new products and services take privacy
(HIPAA) regulates the use and disclosure of “protected health
information” by such entities as physicians, hospitals, and
In a revealing 2011 Stanford Law Review article, Univer -
health insurers.6 And the Children’s Online Privacy Pro -
sity of California at Berkeley Professors Kenneth Bamberger
tection Act of 1998 (COPPA), regulates websites’ collection
and Deirdre Mulligan presented findings from the first
and use of the personally identifiable information of chil-
study of corporate privacy management in fifteen years.16
Bamberger and Mulligan effectively responded to the criti-
A major, if not defining characteristic of U.S. privacy law,
cism of the U.S. privacy regime as lacking sufficient legal
comes from the targeted enforcement actions against bad
protections (what they termed “privacy on the books”) with
(or negligent) actors—principally by the U.S. Federal Trade
a descriptive account of privacy “on the ground.” They
Commission—which has created a “common law” of what is
explored the emergence of the Federal Trade Commission as
expected from business when it comes to the collection, use,
a privacy regulator; the increasing influence of privacy advo-
and protection of personal information. The FTC has author-
cates; market and media pressures for privacy protection;
ity to take enforcement action against “unfair or deceptive”
and the rise of privacy professionals, and concluded that,
practices. In the privacy context, this has resulted in enforce-
together, these factors played a major role in preventing vio-
ment actions against companies that have promised some-
lations of consumers’ expectations of privacy in the United
thing in their privacy policies about the collection, use, or
protection of personal information but, in practice, handledthe personal information in ways that differed from the
The EU’s Across-the-Board Approach to Privacy
promised treatment. Early examples include enforcement
In the EU, by contrast, a region-wide Directive, with nation-
actions against Eli Lilly,8 Microsoft Passport,9 and Gateway,10
al laws in twenty-seven jurisdictions to implement the
when each company made representations concerning its
requirements of the Directive, purports to regulate every
data practices—such as how data will be collected, shared,
piece of personal information and is predicated on the notion
and protected—which were contrary to what actually hap-
that privacy is a fundamental human right.17 Thus, under the
approach of across-the-board regulation, there are strict lim-
Data security breach notification laws require public noti-
its on the collection and use of information, although
fication of information security mishaps. The laws motivate
enforcement of those limits has been episodic. Some of the
companies to improve their data security to avoid having to
enforcement actions have been criticized, such as a criminal
report breaches publicly since publicity invites legal chal-
case against Google executives on the grounds of invasion of
lenges. With the advent of the breach notification laws11 the
privacy for a video posted by a YouTube user that depicted
FTC developed new targets for enforcement—inadequate
a group of Italian students bullying a disabled classmate—
information security programs. A number of FTC enforce-
a video that Google took down within hours of being noti-
ment actions have resulted in consent decrees requiring com-
fied about it.18 After removing the video, Google fully coop-
prehensive data security programs regularly assessed and
erated with Italian police to help identify the individual who
reported upon by independent outside auditors. For example,
uploaded the video, and the video was used to convict that
the FTC brought enforcement actions against BJ’s Wholesale
individual. Google stated in its official blog that “[i]n these
Club12 and DSW,13 both of which were victimized by hack-
rare but unpleasant cases, that’s where our involvement
ers who tapped into their computer systems to obtain their
would normally end,” but four Google executives were sub-
customers’ credit card information, alleging that each com-
sequently arrested and charged with violating Italian privacy
pany failed to provide reasonable security for the sensitive
laws for not blocking the video, and three of them were con-
customer information that it collected and maintained. The
FTC required both companies to implement, establish, and
Another example of controversial enforcement of privacy
maintain comprehensive security programs.
laws in the EU is a case currently before the European Court
The 2011 settlements by Facebook14 and Google15 with
of Justice in which the Court has been asked to decide
the FTC contained, for the first time, requirements for com-
whether Google must honor requests from Spanish citizens
prehensive (and auditable) privacy programs, patterned on
who wish to have their data removed from Google’s search
the FTC requirements in the data security area. These pro-
engine, even when Google is not the creator of the content.20
gram requirements are seen as creating a new and heightened
These unusual cases are distinct from the FTC’s enforce-
FTC standard for protection of consumer data.
ment actions, whose consent decrees have the effect of setting
In addition, Chief Privacy Officers (CPOs) are proliferat-
certain standards of conduct for American businesses.
ing and gaining in importance in U.S. businesses, adding to
Still, the EU firmly believes its framework is superior to
the level of American privacy protection. CPOs ensure that
that of the United States, and it has been steadfast in the
there are documented and enforceable compliance and train-
belief that because the United States does not have an across-
the-board privacy law, its protections are inadequate andtransfers of personal data from the EU to the United States
[ T h e E U ] h a s b e e n s t e a d f a s t i n t h e b e l i e f t h a t
must be controlled and subject to special regulation. VivianeReding, Vice President of the European Commission and
b e c a u s e t h e U n i t e d S t a t e s d o e s n o t h av e a n
Commissioner for Justice, Fundamental Rights and Citizen -ship, is skeptical of anything less than comprehensive U.S. a c r o s s - t h e - b o a r d p r i v a c y l aw, i t s p r o t e c t i o n s a r e
privacy legislation akin to that in the EU.21
The belief on the European side that the United States
i n a d e q u a t e a n d t r a n s f e r s o f p e r s o n a l d a t a f r o m t h e
lacks adequate protections for personal data theoretically
E U t o t h e U n i t e d S t a t e s m u s t b e c o n t r o l l e d a n d
could mean that personal data could not be transferred acrossEU borders to the United States, bringing trans-Atlantic
s u b j e c t t o s p e c i a l r e g u l a t i o n .
commerce to a grinding halt. To address that unthinkableresult, legal mechanisms have been established, requiringexpense and burden, to transfer data from the EU to the
residents, or monitor their behavior. And, if they are sub-
United States. These mechanisms are the EU-U.S. Safe
ject to its rules, with certain exceptions, they must appoint
Harbor,22 which requires eligible businesses to certify com-
a representative to whom data protection concerns may be
pliance with the Safe Harbor principles of notice, choice,
onward transfer, data integrity, security, access, and verifica-
A new principle of accountability would require data
tion and enforcement; Model Contracts,23 which are standard
controllers to demonstrate their compliance with the law
contractual clauses approved by EU authorities that must be
by maintaining extensive documentation on their pro-
included in agreements that involve the transfer of personal
cessing, implementing appropriate security requirements,
data outside the EU; and Binding Corporate Rules,24 which
and performing impact assessments when required. This
are a set of comprehensive internal policies and procedures
replaces the current requirement of administrative filings.
that allow for intra-company cross-border transfers, and that
Ⅲ There are new rights to have data deleted (the “right to be
must conform to standards approved by EU authorities.
forgotten”) and to move data from one service to anoth-
Some had speculated, or perhaps merely hoped, that the
er (“data portability”), which would have a particular
current focus on improving the privacy frameworks in the
United States and the EU would bring the parties closer to
Ⅲ Borrowing from the U.S.-developed concept of data secu-
international harmonization or comity. In the past few
rity breach notification laws, data breaches would have to
months recent proposals for privacy reform were announced
be reported to supervisory authorities without undue delay
in Brussels and Washington, but it remains to be seen
and, where feasible, within twenty-four hours—a time
whether those reforms will act to ease the tensions between
period most people experienced with data breach notifi-
the EU and the United States over their respective approach-
cation view as impractical. “Serious breaches” must also be
es to privacy, so that there will be convergence and greater
cooperation between the two regimes. Ⅲ Binding Corporate Rules are expressly recognized in the
Regulation as an appropriate form of compliance for inter-
The Proposal for an EU Privacy Regulation
national cross-border transfers of data. They will be sub-
In January, the European Commission unveiled a new pro-
ject to approval by only one supervisory authority, thus
posal for privacy in the EU, calling for a region-wide
shortening the current and very long approval process.
Regulation that would replace national laws passed in each
Ⅲ Where consent is to be a ground for data processing, it
EU Member State to implement the 1995 Directive on Data
must be explicit. Implied consent will no longer be possi-
Protection and proposing strict new privacy rules (and penal-
ble and, once given, consent can be withdrawn at any
ties for violating those rules).25 Upon final passage of the
Regulation, the current 1995 Data Protection Directive
Ⅲ Fines may be imposed by supervisory authorities for vio-
would be repealed. The proposed rules are intended to take
lations of the proposed Regulation, reaching up to 2 per-
into account the pervasive new technologies capable of col-
cent of an organization’s annual turnover in the most seri-
lecting and sharing information about people, and to give
ous cases. This potential fining authority for failing to
individuals more control over their personal information.
abide by the Regulation’s many still-to-be-clarified provi-
Ⅲ Under the new Regulation, individuals and organizations
sions is viewed by many as potentially draconian.
would only need to deal with one supervisory authority,
The draft Regulation has entered the political process of
located in the country of their main establishment or res-
the EU co-decision procedure, under which agreement will
idence, rather than the fragmentary jurisdiction current-
need to be reached between the European Parliament and the
ly provided by the Directive. The Regulation would make
Council of the European Union. There is no way to predict
organizations outside the EU subject to its provisions if
exactly how long that process may take, but debate has
they process personal data to offer goods or services to EU
The Obama Administration’s Proposals for
Referring to the differences in national privacy laws that
Better Privacy
create challenges for businesses that wish to transfer data
One month after the announcement in Brussels of the pro-
across national borders, the Administration states that it is
posed Regulation to replace the Data Protection Directive,
“critical to the continued growth of the digital economy
the Obama Administration announced its “Privacy Blue -
that they strive to create interoperability between privacy
print” for the United States, calling for legislation containing
regimes.”29 The Administration states that it is committed to
a Privacy Bill of Rights and proposing enforceable codes of
increasing international interoperability by pursing mutual
conduct developed through a so-called “Multistakeholder
recognition of commercial privacy frameworks, international
codes of conduct based on the multistakeholder process,
The cornerstone of the Administration’s privacy blueprint
and bilateral or multilateral enforcement cooperation.
is the Consumer Privacy Bill of Rights, which adapts the
Finally, the Administration calls on Congress to adopt the
decades-old Fair Information Practice Principles to the inter-
Consumer Privacy Bill of Rights—noting that Congress
connected and interactive world. The Privacy Bill of Rights
should provide the FTC and State Attorneys General with the
applies to commercial uses of personal data and seeks to pro-
power to enforce those rights—as well as a national standard
vide greater privacy protection for consumers and greater
for security breach notification, which would replace the
patchwork of state breach notification laws that are current-
There are seven core rights that comprise the Privacy Bill
ly in effect in forty-six states, the District of Columbia, Puerto
Ⅲ Individual Control: Consumers have a right to exercise
control over what personal data organizations collect from
The Federal Trade Commission’s Privacy Viewpoint
Shortly after the White House announcement of its priva-
Ⅲ Transparency: Consumers have a right to easily under-
cy proposals, the independent U.S. Federal Trade Commis -
standable information about privacy and security prac-
sion followed with a report on privacy containing that
agency’s expectations and hopes for the collection of per-
Ⅲ Respect for Context: Consumers have a right to expect
sonal information. Entitled “Protecting Consumer Privacy
that organizations will collect, use, and disclose personal
in an Era of Rapid Change: Recommendations for Busi -
data in ways that are consistent with the context in which
nesses and Policy makers,” the Report is intended to articu-
late “best practices” for companies that collect and use con-
Ⅲ Security: Consumers have a right to secure and responsi-
sumer data, and to assist Congress as it considers new
Ⅲ Access and Accuracy: Consumers have a right to access
The Report calls for companies to implement (1) privacy
and correct personal data in usable formats, in a manner
by design, (2) simplified consumer choice, and (3) greater
that is appropriate to the sensitivity of the data and the risk
transparency; and it recommends that Congress pass baseline
of adverse consequences to consumers if the data are inac-
privacy legislation. The Report also encourages companies to
incorporate substantive privacy protections (e.g., data secu-
Ⅲ Focused Collection: Consumers have a right to reason-
rity, collection limits, retention and disposal practices, and
able limits on the personal data that companies collect and
data accuracy) and maintain comprehensive data manage-
ment procedures throughout product and service life-cycles. Ⅲ Accountability: Consumers have a right to have person-
In addition, companies are called upon to give consumers a
al data handled by companies with appropriate measures
choice about their data at a time and in a context in which
in place to assure they adhere to the Consumer Privacy Bill
the consumer is making the decision, and to obtain affirma-
tive express consent before collecting sensitive data or mak-
The Administration’s blueprint contemplates a multi-
ing material retroactive changes to privacy representations.
stakeholder approach spearheaded by the Department of
The Report proposes that privacy notices should be clearer,
Commerce that will produce enforceable codes of conduct
that implement the Privacy Bill of Rights. The multistake-
FTC Chairman Jon Leibowitz, commenting on the
holder approach is championed by the Administration due to
Report, stated: “If companies adopt our final recommenda-
the “flexibility, speed, and decentralization necessary to
tions for best practices—and many of them already have—
address Internet policy challenges.”28 This process is designed
they will be able to innovate and deliver creative new serv-
to avoid a one-size-fits-all approach and instead opts for flex-
ices that consumers can enjoy without sacrificing their
ibility and a tailored standard. In addition to flexibility, the
speed with which the multistakeholder process is expected to
In the Report, the FTC recommends new targeted legis-
be able to produce solutions—as compared to the regulato-
lation to address the practices of data brokers, and recognizes
ry or law making process—is also appealing due to the con-
that the more sensitive the data, the greater the protections
stantly evolving nature of privacy issues.
needed. The new framework applies to both online and
offline contexts and to data that is “reasonably linkable” to
And the U.S. proposed rules do not contemplate a “right to
specific consumers, computers, or devices.
be forgotten,” a major feature of the EU proposal and one
The Report also highlights five “action items” that the
that First Amendment scholar Professor Jeffrey Rosen has
FTC will focus on over the next year to promote the new pri-
labeled “the biggest threat to free speech on the Internet in
Ⅲ Do Not Track: The FTC will work with industry to
Similarly, there is no right to “data portability” in the
implement an “easy-to-use, persistent, and effective Do
U.S. proposals as there is in the EU plan. The EU proposal
Not Track system” which will allow users to opt out of
contemplates broad jurisdiction to enforce its law, even
being tracked by online advertising networks and other
extending to U.S. businesses without a physical presence in
the EU, under certain circumstances. And even though the
Ⅲ Mobile: The FTC recommends that companies providing
EU has borrowed the data breach notification idea from the
mobile services improve their privacy practices, including
United States, it proposes a presumptive obligation to provide
through the use of shorter, more meaningful disclosures.
notice within twenty-four hours of a breach, a time frame
Ⅲ Data Brokers: As mentioned above, the FTC is support-
widely regarded as wholly unworkable by those who have
ing targeted legislation to provide consumers with greateraccess to the personal information held by data brokers. Italso recommends that data brokers develop a centralized
. . . t h e U . S . p r o p o s e d r u l e s d o n o t c o n t e m p l a t e
website to identify themselves to consumers, describe theirinformation practices, and detail the access rights and
a “ r i g h t t o b e f o r g o t t e n , ” a m a j o r f e a t u r e o f t h e
other choices they provide with respect to consumer data.
Ⅲ Large Platform Providers: The FTC is planning to host E U p r o p o s a l . . .
a public workshop in the second half of 2012 to exploreprivacy issues associated with “comprehensive” online
worked under the U.S. data breach laws. Finally, the EU
tracking that can be conducted by ISPs, operating systems,
proposes a schedule of monetary fines of up to 2 percent of
an entity’s global worldwide turnover for violations of the
Ⅲ Self-Regulatory Codes: The FTC will participate in the
proposed Regulation––an amount that many stakeholders
Department of Commerce’s upcoming multistakeholder
view as unreasonable due to the discretion given to enforcers
process to develop voluntary, enforceable industry codes of
Until the EU Regulation is finalized, businesses need to
consider the impact of the proposed new rules on their oper-
Impact of the Recent Proposals
ations and on their bottom lines. Importantly, they also need
As is evident from these descriptions of the EU, White
to consider whether the proposed rules even are achievable
House, and FTC 2012 proposals, there indeed are common
under their particular business models. The period ahead
aspects to the EU and U.S. proposals. Both call for imple-
will be one of adjustments to the proposed EU Regulation to
mentation of the “Privacy by Design” concept intended to
make it acceptable to the European Parliament and to the
build privacy sensitivity and consideration into every stage of
Council of the European Union, the bodies responsible for
the development of products and services. Both recognize the
the co-decision procedure required to adopt the Regulation.
importance of accountability by those who collect and use
Input can be expected from businesses in Europe concerned
personal data. Both reflect the principle that people should
about the practicality and the effect on trade of the proposed
not be surprised by the use of their personal data collected for
more-restrictive privacy rules. Likewise, in the United States,
one purpose but used for another purpose. There is no dis-
the exact shape of the new privacy framework is still to be
agreement about the need for informed consent about the
determined, on Capitol Hill and through the work of the
collection and use of personal information (although the
kind of consent envisioned in each jurisdiction differs as to
As things now stand there is a big gap to bridge between
various categories of data). Finally, the U.S. view of what con-
the two trans-Atlantic approaches. Both are, in many ways so
stitutes “personal data” seems to be moving toward the EU’s:
close, yet very far apart in fundamental respects. Ⅵ
the FTC refers to data that can be “reasonably linked to a spe-cific consumer, computer or other device,”33 a standard very
close to—and arguably even broader than—the EU defini-
What They Know—Wsj.com, http://online.wsj.com/public/page/what-they-know-digital-privacy.html (last visited Apr. 19, 2012) (updated periodically).
2 Viviane Reding, European Commission Vice President and Commissioner for
Big differences in approach emerge from the fact that the
Justice, Fundamental Rights and Citizenship, and John Bryson, U.S.
United States, while proposing a first-ever federal privacy
Secretary of Commerce, EU-US Joint Statement on Data Protection (Mar. 19,
law with a “Privacy Bill of Rights,” still intends to rely on a
2012), available at http://europa.eu/rapid/pressReleasesAction.do?refer
variety of self-regulation (more precisely, co-regulation, since
ence=MEMO/12/192&format=HTML&aged=0&language=EN&guiLanguage=en.
self-regulatory rules could be enforced by law enforcement).
Fed. Trade Comm’n, Fair Information Practice Principles, http://www.ftc.gov/
See Nick Leiber, Why the Google-Italy Privacy Case Matters to Your Business,
reports/privacy3/fairinfo.shtm (the five FIPPs, as set forth by the FTC,
BLOOMBERG BUSINESSWEEK (Mar. 3, 2010), http://www.businessweek.com/
are: (1) Notice/Awareness, (2) Choice/Consent, (3) Access/Participation,
smallbiz/running_small_business/archives/2010/03/why_the_google-
(4) Integrity/Security and (5) Enforcement/Redress) (last visited Apr. 19,
.html; see also Kit Eaton, Italy Convicts Google Execs on Privacy InvasionCharges, Revisits Dark Ages, FAST CO. (Feb. 24, 2010, 7:19 AM), http://
www.fastcompany.com/1560995/google-youtube-italy-law-legal-court-
OECD, OECD Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data, http://www.oecd.org/document/18/0,3746,en_
2649_34255_1815186_1_1_1_1,00.html (last visited April 19, 2012).
Serious Threat to the Web in Italy, GOOGLE OFFICIAL BLOG (Feb. 24, 2010,
4:57 AM), http://googleblog.blogspot.com/2010/02/serious-threat-to-web-
Financial Services Modernization Act (Gramm-Leach-Bliley), Pub. L. No. 106-
in-italy.html#!/2010/02/serious-threat-to-web-in-italy.html.
102, 113 Stat. 1338 (1999) (codified at 15. U.S.C. §§ 6801–6809).
See Claire Davenport, Spain Refers Google Privacy Complaints to EU’s Top
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. Court, REUTERS (Mar. 2, 2012, 1:31 PM), http://www.reuters.com/article/
No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered
2012/03/02/us-eu-google-idUSTRE8211DP20120302 (The individual
requests to remove data from Google’s search results include a plastic sur-
7 Children’s Online Privacy Protection Act (COPPA), Pub. L. No. 105-277, 112
geon who wants to have all references to a “botched operation” removed,
Stat. 2681-728 (1998) (codified at 15 U.S.C. §§ 6501–6506).
and a man who wishes that references to the repossession of his home due
8 Eli Lilly and Co., FTC File No. 012-3214 (2002), available at http://
to non-payment of social security be removed).
www.ftc.gov/os/caselist/0123214/0123214.shtm (Eli Lilly provided a serv-
21 Viviane Reding, European Commission Vice President and Commissioner for
ice to consumers that used the anti-depressant medication Prozac, which
Justice, Fundamental Rights and Citizenship, Speech at the 2nd Annual
enabled the consumers to receive email reminders when it was time to take
European Data Protection and Privacy Conference: The Future of Data
or refill their medication. In an email communicating the termination of the
Protection and Transatlantic Cooperation (Dec. 6, 2011) (“I am worried
reminder program, an Eli Lilly employee accidentally disclosed to each par-
that US ‘self-regulation’ will not be sufficient to achieve full interoperability
ticipant in the program the email addresses of all other participants, which,
between the EU and US.”), available at http://europa.eu/rapid/press
the FTC claimed, was contrary to the claims of privacy and confidentiality
ReleasesAction.do?reference=SPEECH/11/851&type=HTML.
that Eli Lilly made in its privacy policies.).
22 See Welcome to the U.S.- E.U. Safe Harbor, EXPORT.GOV, http://export.
9 Microsoft Corp. FTC File No. 012-3240 (2002), available at http://www.ftc.
gov/safeharbor/eu/eg_main_018365.asp (last visited Apr. 19, 2012).
gov/os/caselist/0123240/0123240.shtm (Microsoft made a series of
23 See Model Contracts for the Transfer of Personal Data to Third Countries,
misrepresentations about its data privacy and security practices with regard
EUROPEAN COMM’N—JUSTICE, http://ec.europa.eu/justice/policies/privacy/
to data collected through its Passport Web services. Notably, Microsoft
modelcontracts/index_en.htm (last visited Apr. 19, 2012).
claimed that it did not collect any personally identifiable information other
than as described in its privacy policy and that it employed a high level of
See Overview—BCR, EUROPEAN COMM’N—JUSTICE, http://ec.europa.eu/
online security with respect to the data collected, claims which the FTC
justice/policies/privacy/binding_rules/index_en.htm (last visited Apr. 19,
Gateway Learning Corp., FTC File No. 042-3047 (2004), available at
European Commission, Proposal for a Regulation of the European
http://www.ftc.gov/os/caselist/0423047/0423047.htm (Gateway rented
Parliament and of the Council on the Protection of Individuals with Regard
consumers’ personal information to third parties contrary to statements in
to the Processing of Personal Data and on the Free Movement of Such Data
its online privacy policy that it would not do so absent the consumer’s explic-
(General Data Protection Regulation), Jan. 25, 2012, available at http://
ec.europa.eu/justice/data-protection/document/review2012/com_2012_
Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands
have enacted laws that require notification of security breaches that involve
THE WHITE HOUSE, CONSUMER DATA PRIVACY IN A NETWORKED WORLD:
protected personal information. These laws require notification in a rea-
A FRAMEWORK FOR PROTECTING PRIVACY AND PROMOTING INNOVATION IN THE
sonable amount of time to the individuals whose data was compromised,
GLOBAL DIGITAL ECONOMY (2012), available at www.whitehouse.gov/sites/
and in some instances, to state government entities, such as the State
Attorney General’s office and consumer reporting agencies. See, e.g., CAL.
12 BJ’s Wholesale Club, Inc., FTC File No. 042-3160 (2005), available at
http://www.ftc.gov/os/caselist/0423160/0423160.shtm (The FTC alleged
30 FED. TRADE COMM’N, PROTECTING CONSUMER PRIVACY IN AN ERA OF RAPID
that BJ’s failed to provide reasonable security for sensitive consumer infor-
CHANGE: RECOMMENDATIONS FOR BUSINESSES AND POLICYMAKERS (2012) [here-
mation. Specifically, the FTC noted that BJ’s failed to encrypt the informa-
inafter FTC PRIVACY REPORT], available at http://www.ftc.gov/os/2012/03/
tion, stored it for longer than necessary, stored it in an unsecure manner,
and failed to take measures to prevent and detect unauthorized access to
Fed. Trade Comm’n, FTC Issues Final Commission Report on Protecting
Consumer Privacy (Mar. 26, 2012), http://www.ftc.gov/opa/2012/03/
DSW, Inc., FTC File No. 052-3096 (2005), available at http://www.ftc.gov/
FTC PRIVACY REPORT, supra note 30, at 72–73.
Facebook, Inc., FTC File No. 092-3184 (2011), available at http://ftc.gov/
Google, Inc., FTC File No. 102-3136 (2011), available at http://www.ftc.gov/
The EU definition refers to data that can permit, directly or indirectly, the
identification of a natural person (art. 2, Directive 95/46/EC, supra note
17). Although the EU definition does not refer to machine addresses, most
Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on
European data protection authorities believe that IP addresses and other
the Ground, 63 STAN. L. REV. 247 (2011).
machine identifiers are “personal data” because a machine can in many
17 Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the Protection of Individuals with Regard to the Processing
35 Jeffrey Rosen, The Right to Be Forgotten, 64 STAN. L. REV. ONLINE 88
of Personal Data and on the Free Movement of Such Data, 1995 O.J.
(2012), available at http://www.stanfordlawreview.org/online/privacy-
(L 281) 31 (1995), available at http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=CELEX:31995L0046:EN:HTML.
Lifealerts 14 July 2010 UK - Abortion 'triples breast cancer risk': Fourth study finds abortion linked to disease Australia - Liberal MP defends abortion law change Spain - New Abortion on Demand Law Takes Effect amid Controversy USA - Life over death No news today UK - GP's admission may lead to fresh charges Holland - Euthanasia cases in Holland rise by 13 per cent in a yea
700 Olympic Plaza, Suite 850, Tyler, Texas, 75701 CERVICAL EPIDURAL INJECTION INFORMATION What is the epidural space? The covering over the nerve roots in the spine is cal ed the dura. The space surrounding this dura is the epidural space. Nerves travel through the epidural space before they travel down into your arms. The nerves leave the spine from smal nerve holes. Inflammatio