Translate this page RSS Share this page Print this page


Data, Privacy & Security Practice Report – April 3, 2017

03 Apr 2017

Congress Sends Repeal Of Obama-Era Privacy Rules To The White House — Congress has sent repeal legislation (S.J.Res. 34) to the White House to undo the Federal Communications Commission (“FCC”) broadband privacy rules adopted in October 2016 that would have required cable and wireless companies that are Internet Service Providers (“ISPs”) to take more stringent steps to protect consumers’ personal data.  On Tuesday, March 28, 2017, the House of Representatives (the “House”) voted 215-205 to repeal the rules, which would have obligated ISPs to obtain consent before using certain consumer data for advertising and internal marketing, as well as to strengthen protections against hackers.  Last week, the Senate voted 50-48 to reverse the rules.  The repeal now awaits President Trump’s signature. 

The Obama-era rules had not yet taken effect; the new FCC Chairman Ajit Pai led the FCC to stay the rules’ implementation in a 2-1 vote on March 1, 2017.  After that vote, Chairman Pai and Federal Trade Commission (“FTC”) Chairman Maureen K. Ohlhausen explained in a joint statement that, because the FTC already has authority to regulate the data security practices of ISPs, the new FCC broadband privacy rules would have unfairly subjected ISPs to stricter privacy requirements than edge providers (other companies and platforms on the Internet, like Netflix), who are also regulated by the FTC. 

After the House vote, Chairman Pai applauded the decision of Congress to overturn “privacy regulations designed to benefit one group of favored companies over another group of disfavored companies.”  He added that the FCC’s Open Internet Order of 2015, which reclassified ISPs as Title II common carriers, “created the problem we are facing today,” and that, moving forward, “the FCC will work with the FTC to ensure that consumers’ online privacy is protected though a consistent and comprehensive framework.”

Republicans in the House and Senate agreed that the FCC broadband privacy rules would have been overly burdensome and confusing.  “[Consumer privacy] will be enhanced by removing the uncertainty and confusion these rules will create,” said Rep. Marsha Blackburn (R-Tenn.), who chairs the House subcommittee that oversees the FCC.

But Democrats were disappointed with the vote to repeal the rules, arguing that the rules would have protected consumer privacy, and without them, ISPs are able to sell consumer data to advertisers.  House Minority Leader Nancy Pelosi (D-Calif.) said in a statement before the vote Tuesday, “Your broadband provider knows deeply personal information about you and your family – where you are, what you want to know, every site you visit, and more.  They can even track you when you’re surfing in a private browsing mode.  You deserve to be able to insist that those intimate details be kept private and secure.”

The repeal legislation uses the Congressional Review Act, which allows Congress to revoke recently passed legislation.  Although Senator Ed Markley (D-Mass.) has promised to introduce a bill to instruct the FCC to reinstate the broadband privacy rules, if the current legislation is signed by President Trump, it will forbid the FCC from passing similar regulations going forward.

Reporter, Bethany Rupert, Atlanta, +1 404 572 3525,

Federal District Court:  Violation Of The Fair Debt Collection Practices Act — Without More — Counts As A Concrete Injury — On March 24, 2017, the United States District Court for the District of New Jersey concluded that an alleged violation of the Fair Debt Collection Practices Act (“FDCPA” or the “Act”) — without more — counted as a “concrete injury” for the purposes of Article III’s standing requirement.

The FDCPA — specifically, 15 U.S.C. § 1692f(8) — prohibits a debt collector from “[u]sing any language or symbol, other than the debt collector’s address, on any envelope when communicating with a consumer by use of the mails[,] . . . except that a debt collector may use his business name if such name does not indicate that he is in the debt collection business.”

The defendant — Retrieval-Masters Creditors Bureau, Inc. — is a debt collector.  The plaintiff — Thomas E. St. Pierre — alleged that the defendant sent him two letters concerning unpaid E-ZPass debts and associated penalties.  According to the plaintiff, the defendant sent the letters in envelopes with transparent windows through which an observer could see the plaintiff’s name, address, and collection account number.

The plaintiff filed a lawsuit against the debt collector and contended that displaying the plaintiff’s information — his name, address, and collection account number — behind the envelopes’ transparent windows violated the FDCPA.  Specifically, the plaintiff argued that the debt collector violated 15 U.S.C. § 1692f(8) because the information visible behind the envelopes’ transparent windows was something other than what the statute allows to appear on an envelope: the debt collector’s address, and the debt collector’s business name if the name does not convey that it is in the debt collection business.  As remedies, the plaintiff sought statutory damages, costs of the litigation, and attorney’s fees.

The defendant filed a motion to dismiss the complaint.  The defendant, among other things, argued that the plaintiff had failed to allege a concrete harm that satisfied Article III’s standing requirement.  Specifically, the defendant contended that the plaintiff’s allegations were deficient because the plaintiff failed to allege that any actual harm or any risk of actual harm stemmed from the defendant’s conduct.  According to the plaintiff, the defendant’s conduct constituted a concrete harm because it caused an impermissible disclosure of private information about the plaintiff.

To resolve the dispute, the court identified two tests that it believed the Supreme Court of the United States established for determining whether an intangible harm is also a concrete harm. Under the first test, a court must determine whether the alleged harm has a close relationship to a harm that has traditionally been a legitimate basis for lawsuits in English courts or American courts.  Under the second test, a court must determine whether Congress has elevated the harm to the status of a legally cognizable harm.  After reviewing how other courts had dealt with similar alleged harms, the federal district court determined that the right to privacy, which was implicated when the defendant’s conduct disclosed private information about the plaintiff, was deeply rooted in the common law.  Additionally, the court concluded that Congress, by enacting the FDCPA, recognized a right to be free from having a debt collector disclose one’s private information on a debt collection envelope.  On those grounds, the court decided that the plaintiff’s alleged harm was concrete and satisfied Article III’s standing requirement.

Although the court determined that the plaintiff had suffered a concrete harm that satisfied Article III’s standing requirement, the court ultimately granted the debt collector’s motion to dismiss.  An essential requirement of an FDCPA claim is that the defendant’s conduct must involve an attempt to collect a “debt” as defined in the Act.  The court determined that the money the defendant attempted to collect did not count as a debt according to the Act’s definition and, on that basis, the court dismissed the complaint.

A copy of the court’s decision is available by clicking here.

Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, 

There Is More To Come In Europe: The Draft Of The ePrivacy Regulation — In January 2017, the European Commission (the “EC”) published its proposal for a new ePrivacy Regulation (the “ePrivacy Proposal”), which will replace the ePrivacy Directive of 2002 (2002/58/EC) and the Cookie Directives of 2009 (2009/136/EC).  Currently, the draft is pending in the European Parliament and the Council.  The EC’s goal is to adopt the new ePrivacy Regulation by May 25, 2018, when the General Data Protection Regulation (the “GDPR) will become effective.

The ePrivacy Proposal includes, inter alia, rules on the confidentiality of electronic communication data, on the use of cookies on websites, and on direct marketing practices.  The scope of the ePrivacy Proposal was extended and now also covers for the first time OTT providers, such as WhatsApp, Facebook Messenger and Skype.  As a European regulation, the ePrivacy Regulation will be directly applicable in all EU Member States once it enters into force.

Like the GDPR, the ePrivacy Proposal also provides for strict enforcement measures in cases of non-compliance, with administrative fines up to EUR 20 Million or, alternatively, 4 percent of the total worldwide annual turnover of the preceding financial year.

In a nutshell, the most relevant provisions can be summarized as follows:

  • With respect to confidentiality, the ePrivacy Proposal confirms that electronic communication data is confidential and prohibits any form of interference, surveillance, or processing by persons other than the end-user, except when permitted in the ePrivacy Proposal.  Confidentiality is guaranteed for both communication content and meta data.
  • Regarding the use of cookies, the EC wants to limit the current “consent overload” on websites by distinguishing in the future between non-privacy intrusive cookies, which are necessary and proportionate for a service requested by the end-user (e.g., temporary cookies helping the end-user to keep track with an input when filing in online forms over several pages), and other forms of more intrusive cookies (e.g., tracking cookies).  While the end-users’ explicit consent will no longer be required for the use of non-privacy intrusive cookies, end-users should be able to express their consent to the use of other forms of cookies by using appropriate settings of their web browsers.

The EC’s idea is to obtain consent to the use of cookies during the installation of web browsers rather than by clicking on a web banner while surfing the Internet.  In order to obtain such consent, web browsers should require a clear affirmative action from the end-user to signify his or her “freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment” (e.g., by requiring end-users to actively select “accept third party cookies” in the browser’s settings).

  • For direct marketing, informed consent will be key under the ePrivacy Proposal.  The ePrivacy Proposal includes a uniform and clear choice for the “opt-in” model, rather the “opt-out” model.  Therefore, the ePrivacy Proposal completely bans unsolicited electronic communications by emails, SMS, and automated calling machines.  Certain opt-out exceptions might only apply in the context of an existing customer relationship.

The EC’s ePrivacy Proposal shows that companies should not only focus on the GDPR when making their European operations privacy-compliant, but also should keep the supplementary regulations in mind.  In terms of risk management, obtaining and tracking of (opt-in) consent will be essential in the future.  To limit their risk exposure, companies are advised to implement reliable procedures and mechanisms to obtain and track consent of  potential recipients, users, and customers.

The full draft of the ePrivacy Proposal is available on the EC’s website here

Reporter, Sebastian D. Müller, Frankfurt, +49 69 257 811 201,


King & Spalding’s 2017 Cybersecurity & Privacy Summit — On Monday, April 24, 2017, make plans to join the cybersecurity and privacy experts from King & Spalding and PwC, as well as representatives from the U.S. Department of Justice, the Federal Trade Commission, Georgia Institute of Technology, The Home Depot, and TSYS, to learn about the latest strategies for protecting your company against the legal and financial risks of cybersecurity breaches and other privacy incidents.