FTC signs memorandum of understanding with ICO to improve consumer privacy

March 8, 2014 |

The US Federal Trade Commission and the UK Information Commissioner’s Office have signed a memorandum of understanding to promote increased co operation as part of increasing consumer privacy.

The media release (with pictures found here) provides (absent photographs):

The U.S. Federal Trade Commission signed a memorandum of understanding (MOU) with the Information Commissioner’s Office (ICO) of the United Kingdom today to promote increased cooperation and communication between the two agencies in their efforts to protect consumer privacy. 

The MOU was signed by FTC Chairwoman Edith Ramirez and the UK’s Information Commissioner and Chief Executive, Christopher Graham. It is designed to bolster their privacy enforcement partnership at a time when more and more consumer information is moving across national borders, increasing the need for cross-border enforcement cooperation.

“As consumer data increasingly crosses borders, the FTC needs to be able to work with privacy enforcers around the globe in investigating potential violations of law,” FTC Chairwoman Ramirez said. “This arrangement with our UK counterpart will help us cooperate on privacy investigations more effectively.”

UK Information Commissioner Graham said: “The processing of personal information does not stop and start at the national border. In the digital age, national regulators must increasingly work together to protect the rights of consumers. The signing of today’s memorandum of understanding with the Federal Trade Commission is a demonstration of our commitment towards working with our international partners and can only be to the benefit of people in the United States and the United Kingdom.”

The FTC is the chief U.S. consumer privacy agency.  The agency’s comprehensive privacy program uses law enforcement, research, policy initiatives, and consumer and business education to protect consumers’ personal information.  The UK’s ICO is responsible for protecting its citizens’ privacy through enforcement of the UK Data Protection Act, which implements the European Union’s 1995 Data Protection Directive.

Over the last several years, the FTC and the ICO have worked together on numerous investigations and international initiatives to increase global privacy cooperation. The ICO and the FTC are both founding members of the Global Privacy Enforcement Network (GPEN) and the London Action Plan, an anti-spam initiative.

In addition, earlier today the FTC, together with agency officials from the European Union and Asia-Pacific Economic Cooperation (APEC) economies, announced a project mapping two systems for protecting data transferred across borders.  The project maps together the requirements for APEC Cross Border Privacy Rules (CBPRs) and EU Binding Corporate Rules (BCRs). The document, jointly designed by APEC officials and the EU’s Article 29 Data Protection Working Party, is designed to be a practical reference tool for companies that seek “double certification” under these APEC and EU systems, and shows the substantial overlap between the two.  FTC Chairwoman Ramirez introduced the project at a press briefing today, along with Isabelle Falque-Pierrotin, President of the French data protection authority and Chair of the Article 29 Working Party.

The Commission vote authorizing Chairwoman Ramirez to sign the MOU on behalf of the agency was 4-0.

As more U.S. companies and consumers do business overseas, more FTC work involves international cooperation.  The Office of International Affairs serves both as an internal resource to Commission staff on international aspects of their work and as an official representative to numerous international organizations.  In addition, the FTC cooperates with foreign authorities through formal and informal agreements.  The FTC works with more than 100 foreign competition and consumer protection authorities around the world to promote sound policy approaches.  For questions about the Office of International Affairs, send an e-mail to oia@ftc.gov.  Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases and the FTC International Monthly for the latest FTC news and resources.

The MOU (found here) provides:

MEMORANDUM OF UNDERSTANDING BETWEEN THE UNITED STATES FEDERAL TRADE COMMISSION AND THE

INFORMATION COMMISSIONER’S OFFICE OF THE UNITED KINGDOM ON MUTUAL ASSISTANCE IN THE ENFORCEMENT OF LAWS PROTECTING PERSONAL INFORMATION IN THE PRIVATE SECTOR

The United States Federal Trade Commission (“FTC”) and the Information Commissioner’s Office (“Commissioner”) of the United Kingdom (collectively, “the Participants”),

 RECOGNIZING the nature of the modern global economy, the increase in the flow of personal information across borders, the increasing complexity and pervasiveness of information technologies, and the resulting need for increased cross-border enforcement cooperation;

 RECOGNIZING that the OECD Recommendation on Cross-Border Co- operation in the Enforcement of Laws Protecting Privacy, the Global Privacy Enforcement Network’s Action Plan, the International Enforcement Coordination Framework of the International Conference of Data Protection and Privacy Commissioners, and the APEC Privacy Framework call for the development of cross-border information sharing mechanisms and enforcement cooperation arrangements; and that such information sharing and enforcement cooperation are essential elements to ensure privacy and data protection compliance, serving a substantial public interest;

 RECOGNIZING that the U.S. Federal Trade Commission Act, 15 U.S.C.

§ 41 et seq., as amended by the U.S. SAFE WEB Act, authorizes the FTC to share information with law enforcement authorities from other countries under appropriate circumstances;

 RECOGNIZING that the Commissioner is the designated authority in the United Kingdom for the purposes of Article 13 of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (which was opened for signature on 28th January 1981) and is the supervisory authority in the United Kingdom for the purposes of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

RECOGNIZING that the Participants each have functions and duties with respect to the protection of personal information in their respective countries;

 RECOGNIZING that the Participants have worked together in connection with numerous investigations and enforcement actions relating to matters such as unsolicited commercial email (spam), corporate privacy practices, and automated telephone calls (robocalls);

 REGOGNIZING that the Participants have cooperated in the context of several international networks, including the Global Privacy Enforcement Network, the International Conference of Data Protection and Privacy Commissioners, and the London Action Plan; and

 RECOGNIZING that the Participants would not be able to provide assistance to the other if such assistance is prohibited by their respective national laws or enforcement policies.

 

HAVE REACHED THE FOLLOWING UNDERSTANDING:

 

I.       Definitions

 For the purposes of this Memorandum,

 A. “Applicable Privacy Law” means the laws identified in Annex 1, including any regulations pursuant to those laws, (as may be revised by mutual consent of the Participants from time to time), the enforcement of which has the effect of protecting personal information.

 B.”Covered Privacy Violation” means practices that would violate the Applicable Privacy Laws of one Participant’s country and that are the same or substantially similar to practices prohibited by any provision of the Applicable Privacy Laws of the other Participant’s country.

C.  “Person” means any natural person or legal entity, including corporations, unincorporated associations, or partnerships, established, existing under or authorized by the laws of the United States, its States, or its Territories, or the laws of the United Kingdom.

 D.“Request” means a request for assistance under this Memorandum.

E. “Requested Participant” means the Participant from which assistance is sought under this Memorandum, or which has provided such assistance.

 FRequesting Participant” means the Participant seeking assistance under this Memorandum, or which has received such assistance.

 II.         Objectives and Scope

 A. This Memorandum of Understanding sets forth the Participants’ intent with regard to mutual assistance and the exchange of information for the purpose of investigating, enforcing and/or securing compliance with Covered Privacy Violations. The Participants do not intend the provisions of this Memorandum of Understanding to create legally binding obligations under international or domestic laws.

B.  The Participants understand that it is in their common interest to:

 

  1. cooperate with respect to the enforcement of the Applicable Privacy Laws, including sharing complaints and other relevant information and providing investigative assistance;
  2. facilitate research and education related to the protection of personal information;
  3. facilitate mutual exchange of knowledge and expertise through training programs and staff exchanges;promote a better understanding by each Participant of economic and legal conditions and theories relevant to the enforcement of the Applicable Privacy Laws; and
  4. inform each other of developments in their respective countries that relate to this Memorandum.

C. In furtherance of these common interests, and subject to Section IV, the Participants intend to use best efforts to:

  1.  share information, including complaints and other personally identifiable information, that a Participant believes would be relevant to investigations or enforcement proceedings regarding Covered Privacy Violations of the Applicable Privacy Laws of the other Participant’s country;
  2. provide investigative assistance in appropriate cases, including obtaining evidence under the Participants’ respective legal authorities on behalf of the other Participant;
  3. exchange and provide other relevant information in relation to matters within the scope of this Memorandum, such as information relevant to consumer and business education;
  4. government and self-regulatory enforcement solutions; amendments to relevant legislation; and staffing and resource issues; explore feasibility of staff exchanges and joint training programs;
  5. coordinate enforcement against cross-border Covered Privacy Violations that are priority issues for both Participants;
  6. participate in periodic teleconferences to discuss ongoing and future opportunities for cooperation; and provide other appropriate assistance that would aid in the enforcement against Covered Privacy Violations.

 

III.           Procedures Relating to Mutual Assistance

 A. Each Participant is to designate a primary contact for the purposes of requests for assistance and other communications under this Memorandum.

 B. If a Participant requests assistance for matters involved in the enforcement of Applicable Privacy Laws, then Participants understand that:

  1.  requests for assistance are to include sufficient information to enable the Requested Participant to determine whether a request relates to a Covered Privacy Violation and to take action in appropriate circumstances. Such information may include a description of the facts underlying the request and the type of assistance sought, as well as an indication of any special precautions that should be taken in the course of fulfilling the request;
  2. requests for assistance are to specify the purpose for which the information requested will be used;
  3. consistent with Section V.A., a request for assistance certifies that, subject to any relevant applicable legal restrictions in its own jurisdiction on its ability to do so, the requester is to maintain confidentiality in respect of :

–                                each request for assistance,

–                                the existence of any investigation related to the request,

–                                all materials related to each request, and

–                                all information and material provided in response to each request, unless otherwise decided; and,

4. prior to requesting assistance, Participants should perform a preliminary inquiry to ensure that the request is consistent with the scope of this Memorandum.

 C. Participants should use their best efforts to resolve any disagreements related to cooperation that may arise under this Memorandum through the contacts designated under Section III.A, and, failing resolution between the designated contacts in a reasonably timely manner, by discussion between appropriate senior officials designated by the Participants.

 

IV.        Limitations on Assistance

 A. The Requested Participant may exercise its discretion to decline the request for assistance, or limit or condition its cooperation, including, where it is outside the scope of this Memorandum, or more generally, where it would be inconsistent with domestic laws, or important interests or priorities.

 B.The Participants recognize that it is not feasible for a Participant to offer assistance to the other Participant for every Covered Privacy Violation. Accordingly, the Participants intend to use best efforts, as outlined in Section II, to seek and provide cooperation focusing on those Covered Privacy Violations most serious in nature, such as those that cause or are likely to cause damage or distress to a significant number of persons, and those otherwise causing substantial damage or distress.

 C.If the Requested participant is unable to offer full assistance or declines assistance it should explain the reasons why.

D.Participants intend, in so far as they are able, to share confidential information pursuant to this Memorandum only to the extent that it is necessary to fulfill the purposes set forth in Section II.

E. The Participants recognize that confidential material often contains personally identifiable information. If the Requesting Participant wishes to obtain confidential information that includes personally identifiable information, then the Participants understand that they are to take additional appropriate measures to safely transmit and safeguard the information, including but not limited to transmitting the material in an encrypted format and using passwords to restrict access.

 

V.      Confidentiality and Limitations on Use

 A. Subject to any restrictions imposed by their respective national laws, to the fullest extent possible, each Participant certifies the confidentiality of information to be shared under this Memorandum. The certification of confidentiality applies not only to the shared information, but also to the existence of an investigation to which the information relates. The Participants are to treat the shared information, the existence of the investigation to which the information relates, and any requests made pursuant to this Memorandum as confidential, and so far as they are able, not further disclose or use this information for purposes other than those for which it was originally shared, without the prior written consent of the Requested Participant.

 B. Notwithstanding Section V.A., it is understood that:

  1.  A Participant may disclose information provided pursuant to this Memorandum in response to a formal request from a Participant country’s legislative body or an order issued from a court with proper jurisdiction in an action commenced by the Participant or its government.
  2. Material obtained in connection with the investigation or enforcement of criminal laws may be used for the purpose of investigation, prosecution, or prevention of violations of either Participant’s country’s criminal laws.

 C. Each Participant is to use best efforts to safeguard the security of any information received under this Memorandum and respect any safeguards decided by the Participants. In the event of any access to, or disclosure of, the information not authorized by a Participant, the Participants are to take all reasonable steps to prevent a recurrence of the event and are to notify the other Participant of the occurrence.

 D. Where a Participant receives an application by a third party for disclosure of confidential information or materials received from a Requested Participant, the Requesting Participant should notify the Requested Participant forthwith and seek to obtain that Participant’s consent                to the release of the information. Where the Participant who receives         an application for disclosure from a third party is unable to obtain consent for its disclosure from the Requested Participant, if the Receiving Participant is nevertheless obliged under its laws to release the information, it      should notify the Requested Participant as soon as possible of its decision to disclose the information.

 

VI.        Changes in Applicable Privacy Laws

 In the event of significant modification to the Applicable Privacy Laws of a Participant’s country falling within the scope of this Memorandum, the Participants intend to consult promptly, and, if possible, prior to the entry into force of such enactments, to determine whether to modify this Memorandum.

 

VII.          Retention of Information

 A. If Participants wish to retain materials obtained from the other Participant under this Memorandum, the Participants understand they are not to retain such materials for longer than is reasonably required to fulfill the purpose for which they were shared or for longer than is required by the Requesting Participant’s country’s laws.

 B. The Participants recognize that in order to fulfill the purpose for which the materials were shared, the Participants typically need to retain the shared materials until the conclusion of the pertinent investigation or related proceedings for which the materials were requested.

 C. The Participants are to use best efforts to return any materials that are no longer required if, at the time they are shared, the Requested Participant makes a written request that such materials be returned. If no request for return of the materials is made, then the Requesting Participant may dispose of the materials using methods prescribed by the Requested Participant, or if no such methods have been prescribed, by other secure methods, as soon as practicable after the materials are no longer required.

 

VIII.            Costs

 Unless otherwise decided by the Participants, the Requested Participant is expected to pay all costs of executing the request for information. When the cost of providing or obtaining information under this Memorandum is substantial, the Requested Participant may ask the Requesting Participant to pay those costs as a condition of proceeding with the Request. In such an event, the Participants should consult on the issue at the request of either Participant.

 

IX.         Duration of Cooperation

 A. The Participants intend cooperation in accordance with this Memorandum to become available as of the date it is signed by both Participants.

 B. Assistance in accordance with this Memorandum is understood to be available concerning Covered Privacy Violations occurring before as well as after this arrangement is signed.

 C. A Participant should endeavor to provide 30 days advance written notice to the other Participant that it plans to withdraw from the understanding set out in this Memorandum. However, prior to providing such notice, each Participant should use best efforts to consult with the other Participant.

 D. Upon cessation of cooperation through this Memorandum, the Participants, in accordance with Section V, are to maintain the confidentiality of any information communicated to them by the other Participant in accordance with this Memorandum, and return or destroy, in accordance with the provisions of Section VII, information obtained from the other Participant in accordance with this Memorandum.

 

X.       Legal Effect

 Nothing in this Memorandum is intended to:

A.Create binding obligations, or affect existing obligations, under international or domestic law.

 B.Prevent a Participant from seeking assistance from or providing assistance to the other Participant pursuant to other agreements, arrangements, or practices.

 C.Affect any right of a Participant to seek information on a lawful basis from a Person located in the territory of the other Participant’s country, or preclude any such Person from voluntarily providing legally obtained information to a Participant.

 D.Create a commitment that conflicts with either Participant’s national laws, court orders, or any applicable international legal instruments.

E. Create expectations of cooperation that would exceed a Participant’s powers.

Annex 1

 

Applicable Privacy Laws

 

  1. Federal Trade Commission
    a. Federal Trade Commission Act, 15 U.S.C. §§ 41-58
    b. Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681u
    c. The Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501- 6506
    d. Gramm-Leach-Bliley Act, codified in relevant part at 15 U.S.C. §§ 6801-6809 and §§ 6821-6827
    e. Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101-6108

f.  CAN-SPAM Act of 2003, 15 U.S.C. §§ 7701-7713

 

 II. Information Commissioner’s Office

a. Data Protection Act, 1998 c. 29

b. The Privacy and Electronic Communications (EC Directive) Regulations, 2003 No. 2426

 

 

Leave a Reply