In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.
Whose fault is it? The organization that shared the personal data with the vendor certainly has responsibility, as organizations are generally responsible for the actions of their independent contractors. But even though an organization might have to pick up the tab, it can still put all the blame on the vendor.
One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.
We have launched several new privacy training programs, including a series with brief introductions to privacy law. We have completed a privacy training program about US Privacy Law with a video and interactive material / quiz questions. And we just completed a training program about EU Privacy Law. This program has a 7.5 minute video (as well as an abridged version at 4.5 minutes), and there’s a separate excerpt on the Safe Harbor Arrangement for those who only want to cover Safe Harbor in their training programs.
Facebook has settled with the FTC over its change to its privacy policies back in 2009. According to the FTC complaint, as summed up by the FTC press release, Facebook engaged in a number of unfair and deceptive trade practices: