Privacy & Information Security Law Blog

On May 30, 2013, the French Data Protection Authority (“CNIL”) launched a public consultation on the digital “right to be forgotten.”

The CNIL recalled that the principle of a digital “right to be forgotten” is established in the Proposed EU Data Protection Regulation and that this new right will have to be exercised in accordance with freedom of expression, freedom of the press and the duty of remembrance.

In this context, the CNIL decided to consult web users with a goal of defining the broad outlines of the digital right to be forgotten. The CNIL also announced that it will ...

Hunton & Williams LLP is pleased to announce the firm’s global Privacy and Data Security practice again ranked in “Band 1” in 2013 Chambers USA, Chambers Global and Chambers UK.

Global practice group leader Lisa Sotto, who was recently named among The National Law Journal’s “The 100 Most Influential Lawyers in America,” was recognized in Chambers USA as a “Star” performer, the guide’s highest ranking. Sotto was the only privacy lawyer in the U.S. to receive this distinguished ranking. In the same guide, New York partner Aaron Simpson was highlighted for his notable work in advising on global privacy and data security matters.

On May 29, 2013, a bill, accompanied by an explanatory memorandum, was proposed in the Australian Parliament that requires businesses and government agencies that experience a serious data breach to notify affected individuals and the Office of the Australian Information Commissioner (“OAIC”). The proposed legislation requires organizations to notify individuals only when they are “significantly affected” by a “serious” data breach. Breaches that merely pose a “remote risk” of harm would not require notification. The factors organizations should assess when determining whether a breach is “serious” include: (1) harm to a person’s reputation, (2) economic harm, (3) financial harm, and (4) physical and psychological harm. Additionally, the bill specifies that implementing regulations may identify other situations that would require notification even if the breach does not give rise to a risk of serious harm. Organizations should notify affected individuals through the normal method of communication they have previously used to communicate with those individuals. Absent a normal method of prior communication, organizations must take reasonable steps to notify the affected individuals via email, telephone or postal mail. If passed, the legislation would become effective in March 2014.

On May 13, 2013, the Article 29 Working Party (the “Working Party”) adopted an Advice Paper on profiling (the “Advice Paper”). The Advice Paper serves as the national data protection authorities’ contribution to the ongoing legislative debate before the European Parliament and the Council of the European Union on the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On June 3, 2013, Privacy Piracy host Mari Frank will interview Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California. Listen to the latest developments in cybersecurity, including legal issues businesses should consider when dealing with cybersecurity threats and the types of information being targeted. The radio interview will be featured at 8:00 a.m. Pacific Time on KUCI 88.9 FM and is available via audio streaming at www.kuci.org

On May 20, 2013, the Estonian Data Protection Inspectorate issued its Annual Report 2012 (the “Report,” summary available in English). The number of inquiries, complaints and supervision proceedings have remained the same over the last few years. The main topics of complaints include employment relations, CCTV, electronic direct marketing and social media. The Inspectorate stated that its primary goal is to stop violations of the law, not to impose sanctions. According to the Report, the Inspectorate issued orders regarding compliance in 48 cases and imposed fines in 39 cases.

On May 23, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) issued a position paper (the “Paper”) proposing revisions to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to better align PIPEDA with the risks facing a modern information economy. Privacy Commissioner of Canada Jennifer Stoddart addressed the release of the Paper in her remarks at the IAPP Canada Privacy Symposium, stating that “[i]t is increasingly clear that the law is not up to the task of meeting the challenges of today – and certainly not those of tomorrow.” According to the Paper, the surge in the collection, availability and use of personal data has upset the balance between the privacy rights of individuals and the legitimate needs of businesses originally struck by PIPEDA. In response, the Paper proposes four general revisions to PIPEDA:

On May 21, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $400,000 settlement with Idaho State University (“ISU”) for a breach that affected 17,500 individuals.

The ISU settlement relates to servers that had their firewall protections disabled, which left the electronic protected health information (“ePHI”) of patients at ISU’s Pocatello Family Medicine Clinic unsecured for at least ten months. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that ISU allegedly had not complied with HIPAA Security Rule requirements, including by conducting an incomplete and inadequate risk analysis and by failing to “adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.”

On May 9, 2013, the Federal Communications Commission (“FCC”) released a declaratory ruling clarifying the liability of a seller for violations of the Telemarketing Consumer Protection Act (“TCPA”) made by third-party telemarketers and others who place calls to market the seller’s products or services.

On May 20, 2013, the Irish Office of the Data Protection Commissioner (“ODPC”) published its annual report for 2012 (the “Report”). The Report summarizes the activities of the ODPC during 2012, including its investigations and audits, policy matters, and European and international activities.

Lisa J. Sotto, head of Hunton & Williams LLP’s Privacy and Data Security practice and managing partner of the New York office, was recently re-appointed as Chair of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (“DPIAC”). Sotto was first appointed Chair of DPIAC in 2012 for a one-year term. This most recent tenure will expire in April 2014.

On May 16, 2013, UK Trade & Investment (“UKTI”), a UK government department working with businesses based in the UK to ensure their success in international markets, published the first export strategy paper (the “Paper”) on the UK’s approach to the $100 billion annual cybersecurity export market.

In November 2011, the UK’s Cyber Security Strategy was published. ‘Objective 1’ of the strategy’s implementation plan recognized that cyberspace is an important and expanding part of the UK economy. One of the supporting actions for Objective 1 was to develop a ...

In April 2013, the People’s Republic of China’s General Office of the National People’s Congress published a draft amendment to the Law on the Protection of Consumer Rights and Interests (the “ Proposed Amendment”) and solicited public comments on the Proposed Amendment until May 31, 2013. The Proposed Amendment includes provisions that affect the collection and use of consumer personal information.

On April 30, 2013, the UK government announced guidance on its consultation on cybersecurity standards (the ”Consultation”). The Consultation was launched in March 2013, and follows the UK government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information-sharing on cyber threats.

On May 15, 2013, the Federal Trade Commission announced that it sent educational letters to over 90 businesses that appear to collect personal information from children under the age of 13, reminding them of the impending July 1 deadline for compliance with the updated Children’s Online Privacy Protection Rule (the “Rule”). The letters were sent to domestic and foreign companies that may be collecting information from children that is now considered “personal information” under the Children’s Online Privacy Protection Act (“COPPA”) but was not previously considered “personal information.” The definition of “personal information” under COPPA was expanded to include (1) photos, videos and audio recordings of children; and (2) persistent identifiers that may recognize users over time and across various websites and online services (e.g., cookies and IP addresses).

In March 2013, the UK government launched its consultation on cybersecurity standards (the “Consultation”) following the government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information sharing on cyber threats.

The Obama Administration is in the process of finalizing its review of a statutory electronic surveillance proposal initially developed by the FBI, and is expected to support the introduction of a modified version as legislation. The proposal addresses concerns raised by law enforcement and national security agencies regarding the widening gap between their legal authority to intercept real-time electronic communications pursuant to a court order, and the practical difficulties associated with actually intercepting those communications. According to the government, this gap increasingly prevents the agencies from collecting Internet-based phone calls, emails, chats, text messages and other communications of terrorists, spies, organized crime groups, child pornography distributors and other dangerous actors. The FBI refers to this as the “going dark” problem.

On May 14, 2013, London Economics published the results of an independent survey commissioned by the UK Information Commissioner’s Office (“ICO”) to help understand the challenges that the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) may present to UK businesses (the “Report”).

On May 10, 2013, CBS News interviewed two cybersecurity authorities to discuss the growing debate of privacy online. In the feature, entitled “Should there be a ‘right to be forgotten’ online?,” Lisa J. Sotto, partner and head of the Privacy and Data Security practice at Hunton & Williams LLP, talked about the problem of individuals’ rights to delete their online activity. She pointed out that the U.S. has no comprehensive online privacy law, and instead has a framework “comprised of a patchwork quilt of laws.” ...

A state court has dismissed the California Attorney General’s claims that Delta Air Lines Inc. (“Delta”) violated the California Online Privacy Protection Act by failing to have an appropriately posted privacy policy for its mobile application, Bloomberg reports. The California AG sued Delta in December as part of an enforcement campaign that began with the issuance of warning letters to approximately 100 operators of mobile apps, including Delta. According to the Bloomberg report, a basis for the dismissal was the federal Airline Deregulation Act, under which a state ...

On May 7, 2013, the Federal Trade Commission announced that it issued letters to ten data broker companies warning that their practices could violate prohibitions against selling consumer information under the Fair Credit Reporting Act (“FCRA”). The FTC identified the ten data broker companies after a test-shopping operation that indicated these companies were willing to sell consumer information without adhering to FCRA requirements.

On April 30, 2013, the regional court of Berlin enjoined Apple Sales International, which is based in Ireland, (“Apple”) from relying on eight of its existing standard data protection clauses in contracts with customers based in Germany. The court also prohibited Apple’s future use of such clauses.

On May 3, 2013, the German Federal Council (Bundesrat) passed a new bill regarding access to telecom user data, such as names, addresses, passwords and credit card PIN codes. This comes after the German Federal Diet (Bundestag) passed the German government’s bill on March 21, 2013, which amends, among other laws, Germany’s Federal Telecommunications Act.

On May 6, 2013, the Global Privacy Enforcement Network (“GPEN”) announced its first “Internet Privacy Sweep,” in which 19 data protection authorities are participating. This joint effort, which runs May 6-12, 2013, involves a review of the information notices posted online by major websites.

In April 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) issued a new rule entitled the “Notice on Strengthening the Administration of Networked Smart Mobile Devices” (the “Notice”). This Notice, which will become effective on November 1, 2013, was issued in draft form in June 2012 along with a request for public comment.

On May 6, 2013, the Federal Trade Commission announced that it had voted unanimously to reject a request from industry groups to delay the July 1, 2013 deadline for implementation of the updated Children’s Online Privacy Protection Rule (the “Rule”). The groups had argued that the delay was necessary because they needed more time to comply with the changes to the Rule, which the FTC promulgated on December 19, 2012. In its response to the groups, the FTC asserted that the groups have been on notice of the changes since the beginning of the rulemaking process over three years ago, and ...

On May 6, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) discussed the progress of the proposed General Data Protection Regulation (”Proposed Regulation”). LIBE’s lead rapporteur, Jan Philipp Albrecht, noted that, in light of the significant number of amendments tabled, more time is needed for the other rapporteurs to deliberate. As a result, the vote originally scheduled for May 29, 2013 on the lead rapporteur’s report regarding amendments to the Proposed Regulation has been postponed.

On May 7, 2013, the hacker group Anonymous announced that it, in concert with Middle East- and North Africa-based criminal hackers and cyber actors, will conduct a coordinated online attack labeled “OpUSA” against banking and government websites today. Anonymous stated that OpUSA will be a distributed denial of service (“DDoS”) in which websites may be defaced and legitimate users may be unable to access websites.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) has activated the website for the 35th International Conference of Data Protection and Privacy Commissioners to be held in Warsaw, Poland, September 23-26, 2013. The conference theme is “A Compass in a Turbulent World.” Unlike past years, the conference will begin with the closed session for commissioners and concurrent side events. The open conference will take place on September 25 and 26. GIODO currently is working on the conference agenda with an advisory committee that ...

On April 22, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the proposed data protection impact assessment template for smart grid and smart metering systems (“DPIA Template”). Expert Group 2 of the European Commission’s Smart Grid Task Force submitted the DPIA Template to the Working Party following the European Commission’s March 9, 2012 recommendation regarding preparation for the roll-out of smart metering systems.

As reported in the Hunton Employment & Labor Perspectives Blog:

Furthering its controversial ruling in Banner Health System d/b/a Banner Estrella Medical Center, 358 NLRB No. 93 (July 30, 2012), the National Labor Relations Board’s (“NLRB’s”) Office of the General Counsel released a memorandum providing additional guidance on the confidentiality of internal workplace investigations. Banner Health held that to require confidentiality of investigations, an employer must show more than a generalized concern with protecting the integrity of its investigations. Rather, an employer must “determine whether in any give[n] investigation witnesses need[ed] protection, evidence [was] in danger of being destroyed, testimony [was] in danger of being fabricated, and there [was] a need to prevent a cover up.”