On June 28-30, 2011, the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg, France, to discuss, among other things, amending the Council of Europe’s Convention 108. Convention 108, which underlies the European Union’s legal framework for data protection, is the only legally-binding international convention that addresses data protection. Amendment of the Convention is thus closely linked to the current review of the EU data protection framework, and many of the same actors are involved in both exercises.
On June 28, 2011, the Federal Communications Commission and the Federal Trade Commission convened a public education forum entitled “Helping Consumers Harness the Potential of Location-Based Services.” Representatives of telecommunications carriers, technology companies and consumer advocacy organizations discussed technological developments and how best to realize the benefits of location-based services without compromising privacy.
On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.” In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.
On June 24, 2011, the U.S. Department of Commerce’s International Trade Administration released a PowerPoint presentation on Mexico’s new private sector data protection law that was shared at a meeting of the OECD Working Party on Information Security and Privacy by Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (“IFAI”). The presentation provides guidance on the creation of privacy notices and establishment of self-regulatory schemes, and also outlines the responsibilities of the Ministry of Economy and the IFAI ...
Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada. As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology. According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.
On June 23, 2011, in a 6-3 decision, the United States Supreme Court ruled in IMS Health Inc. v. Sorrell that a Vermont law prohibiting the sale of prescriber-identifiable data to drug companies was an unconstitutional violation of the First Amendment right to free speech. Thomas Julin, a partner at Hunton & Williams LLP, represented IMS Health in this case. The Supreme Court’s ruling affirmed the holding of the U.S. Court of Appeals for the Second Circuit, resolving a split with the First Circuit (which upheld a similar law in New Hampshire), and likely preventing the enactment of similar restrictive laws across the country.
Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses. In return, Reding expects businesses to ensure “safe and transparent digital products and services.”
On June 20, 2011, Malaysia’s Bernama News Agency reported that the Malaysian Ministry of Information, Communication and Culture will establish a government department to facilitate the implementation of Malaysia’s new Personal Data Protection Act. Malaysia passed the Personal Data Protection Act in 2010, but the law has yet to go into effect. According to the report, enforcement of the Act is scheduled for early next year.
On June 14, 2011, the PCI Security Standards Council’s Virtualization Special Interest Group published its “Information Supplement: PCI DSS Virtualization Guidelines”(the “Guidelines”) to Version 2.0 of the PCI Data Security Standard (“PCI DSS”). The Guidelines provide context for the application of the PCI DSS to cloud and other virtual environments, and offer at least three critical reminders:
- the PCI DSS applies to cloud environments without exception;
- critical analysis of the application of the PCI DSS to rapidly evolving cloud offerings is essential to compliance; and
- cloud providers must be prepared to document and contract for necessary controls.
As reported in Hunton & Williams' Employment & Labor Perspectives blog, two unfair labor practice complaints recently issued by National Labor Relations Board regional offices in Buffalo and Chicago illustrate how closely the NLRB is scrutinizing employers’ termination decisions that are allegedly related to statements employees made on social media. Read the full entry.
On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010. The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.
In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive. He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure. Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.
As reported yesterday, on June 16 and 17, 2011, the Hungarian Presidency of the Council of the European Union hosted a high-level international data protection conference in Budapest. The following are some highlights from the second day’s events:
- During the “New principles in the field” panel, Professor Paul De Hert of the Vrije Universiteit Brussel gave an explanation of the case I v. Finland, which was decided by the European Court of Human Rights on July 17, 2008, and which both he and European Data Protection Supervisor Peter Hustinx agreed was a key document for the concept of accountability in European data protection law. Endre Szabó of the Hungarian Ministry of Public Administration and Justice noted that the principle of accountability had not yet been fully accepted by all members of the European Council.
Two former employees of mobile phone provider T-Mobile have been ordered by a court in the United Kingdom to pay £73,700 (approximately $120,000) for the theft of T-Mobile customers’ personal data. The Chester Crown Court ordered David Turley and Darren Hames to pay £45,000 and £28,700 respectively, under confiscation orders, along with prosecution costs.
On June 13, 2011, Representative Mary Bono Mack (R-CA) released a discussion draft of the Secure and Fortify Data Act (the “SAFE Data Act”), which is designed to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.” Representative Bono Mack is Chairman of the House Subcommittee on Commerce, Manufacturing and Trade. In a press release, Representative Bono Mack remarked that “E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it – and that starts with robust cyber security.” She added that “consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”
Hunton & Williams LLP is pleased to announce its 2011 rankings from Chambers and Partners and The Legal 500: United States. The firm maintained its number one ranking in both surveys for its Privacy and Data Security practice.
For the last four years, the firm has held the “Band 1” ranking for Privacy and Data Security by both the Chambers USA and Chambers Global guides. In its Chambers USA guide, Chambers and Partners recognized the firm’s privacy and data security practice for its “full spectrum of privacy issues including data security breaches, records and information management and legislation compliance.” Hunton & Williams also received the highest honors for its client service and “commercial awareness.” In addition, the practice was praised for its connections with regulatory agencies. Lisa J. Sotto, partner and head of the firm’s Privacy and Data Security practice, was ranked in “Band 1,” and was singled out for her “tremendous wealth of knowledge” and proactive nature in assisting clients.
On June 16, 2011, the Hungarian Presidency of the Council of the European Union hosted the first day of a high-level international data protection conference in Budapest. The conference was attended by approximately 150 people, most of whom are representatives of EU governments, data protection authorities (“DPAs”), the European Commission, and other governmental groups such as the Council of Europe.
On June 15, 2011, Senator Al Franken (D-MN) and Senator Richard Blumenthal (D-CT) introduced the Location Privacy Protection Act of 2011 (the “Act”). As we reported previously, Senator Franken is chairman of the newly-created Senate subcommittee on Privacy, Technology and the Law. In his press release, Senator Franken explained that the Act is designed to “close current loopholes in federal law” while giving customers the ability to learn about and prevent the collection of their location information. The Act would apply only to non-government entities and would not impact law-enforcement activities. At a May 10, 2011 hearing, both Google and Apple were questioned about their privacy practices, and Franken subsequently challenged them to require their application developers to adopt clear and understandable privacy policies.
On June 7, 2011, the Congress of the Republic of Peru passed the Personal Data Protection Law (Ley de Protección de Datos Personales, Proyecto de Ley 4079/2009-PE). If signed into law, the bill would make Peru the newest member of the group of Latin American countries with EU-style omnibus privacy legislation. The broad-ranging legislation would do the following, among other things:
On June 13, 2011, the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) hosted a conference in Warsaw on the use of binding corporate rules (“BCRs”) for international data transfers. The conference was notable as the first on this topic in Poland, and was designed to introduce BCRs to a Polish audience and to promote their use. The audience of approximately 70 people heard presentations by the Polish Inspector General for Data Protection, Wojciech Rafał Wiewiórowski, as well as representatives of the Belgian, French, Polish ...
On June 10, 2011, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the Federal Trade Commission, claiming that Facebook’s facial recognition and automated online image identification features harm consumers and constitute “unfair and deceptive acts and practices.” According to a post on The Facebook Blog, the Tag Suggestions feature matches uploaded “new photos to other photos [the user is] tagged in.” Facebook then “[groups] similar photos together and, whenever possible, suggest[s] the name of the friend in the photos.” On June 13, 2011, Congressman Edward Markey (D-MA) released a statement supporting the complaint and indicating that he will “continue to closely monitor this issue.”
On June 9, 2011, two plaintiffs filed a class action complaint against Google in the United States District Court for the Southern District of Florida. The complaint alleges that Google’s Android phone “engaged in illegal tracking and recording of [p]laintiffs’ movements and locations … without their knowledge or consent” and that Google violated the Computer Fraud and Abuse Act and Florida statutory and common law by failing to inform Android users that their movements were being tracked and recorded through their phones.
On June 6, 2011, Hunton & Williams hosted a panel discussion on what organizations in the UK, France, Germany and the Netherlands are doing to comply with the EU’s new cookie law. The webinar, Consent for Cookies: Preparing for the EU Cookie Law, featured David Evans, Group Manager of Business and Industry of the UK Information Commissioner’s Office, and Hunton & Williams Brussels-based associates Olivier Proust, Dr. Jörg Hladjk and Martijn ten Bloemendal. The panel was moderated by Bridget C. Treacy, partner in the London office of Hunton & Williams.
On June 8, 2011, the Department of Commerce’s Internet Policy Task Force released a report entitled “Cybersecurity, Innovation and the Internet Economy.” The report contains four broad policy recommendations: (1) the creation of a nationally recognized approach to minimize vulnerabilities for the Internet and networking services industry, (2) the development of incentives to combat cybersecurity threats, (3) increased cybersecurity education and research, and (4) the promotion of international cooperation to enable sharing of cybersecurity best practices.
On June 7, 2011, Senator Patrick Leahy (D-VT) introduced the “Personal Data Privacy and Security Act of 2011” (the “Act”), co-sponsored by Senators Charles Schumer (D-NY) and Ben Cardin (D-MD). This marks the fourth time Senator Leahy has introduced ambitious privacy legislation; in 2005, 2007 and 2009, similar bills failed to advance in the Senate. In his press release, Senator Leahy stated that “many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”
On May 27, 2011, a class action complaint was filed in the United States District Court for the Northern District of California against Google and its recently acquired subsidiary, Slide, alleging that they violated the Telephone Consumer Protection Act (“TCPA”) when they sent text messages to people’s cell phones without first obtaining their consent.
In a pair of lawsuits filed against Twitter, Inc. and American Express Centurion Bank, plaintiffs in a California federal court are seeking class-action status to assert claims that the defendants violated the Telephone Consumer Protection Act (“TCPA”) by sending each plaintiff a single text message to confirm that they had processed the plaintiff’s request to opt-out of receiving further text messages. This litigation highlights a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices (the “MMA’s Best Practices”), the authoritative compilation of policies enforced by the major wireless carriers.
On May 26, 2011, the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke spoke before the EU Committee of the British Chamber of Commerce in Belgium. His remarks focused on data protection, a subject he characterized as one “heavily on the agenda” in Brussels and in many EU Member States. Clarke emphasized his own role as a proponent of data protection and a defender of civil liberties and individual freedom, and discussed the introduction into Parliament of a major bill to enhance individual freedom in the UK. Key measures in the bill, many of which respond to issues raised over the past few years by the UK Information Commissioner, include:
- Greater independence for the Information Commissioner
- Safeguards against misuse of counter-terrorism stop and search powers
- Further regulation of the use of closed-circuit television monitoring
- Reform of the regulations governing vetting and barring of ex-offenders and persons working with children and vulnerable adults
On May 31, 2011, an Order was filed in the District Court for the Northern District of California granting final approval of the Google Buzz class action settlement and cy pres awards for organizations focused on Internet privacy policy or privacy education. Pursuant to the Order, the court adopted the Google Buzz settlement agreement and certified the proposed settlement class, which includes “all Gmail users in the United States presented with the opportunity to use Google Buzz through the Notice Date.” The court also approved the following list of organizations and ...
Costa Rica’s quest for an omnibus privacy law took a major step forward on April 27, 2011, when the Supreme Court of Justice of Costa Rica gave its stamp of approval to a far-ranging piece of privacy legislation, finding that it had no constitutional defects. In March 2011, the bill, known as the law of “Protection of the Person in the Processing of His Personal Data” (Protección de la Persona Frente al Tratamiento de sus Datos Personales), survived an initial vote in the unicameral Legislative Assembly. The bill has now been returned to the Legislative Assembly.
As reported by Kwang Hyun Ryoo and Ji Yeon Park of Bae, Kim & Lee LLC in Korea, on May 24, 2011, the government of South Korea published draft regulations to the Personal Information Protection Act (“PIPA”), the Republic’s new omnibus data protection law.
As we previously reported, PIPA was enacted on March 29, 2011, after past privacy legislation had languished in the Korean Parliament. The recently published regulations (an Enforcement Decree and Enforcement Regulations) apply to any “handler of personal information” or “data handler,” which is any entity that uses personal information for business purposes.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code