On January 25, 2012, the UK Information Commissioner’s Office (“ICO”) published an initial statement welcoming the European Commission’s proposed new General Data Protection Regulation (the “Proposed Regulation”), and commended the Commission’s efforts to strengthen the rights of individuals, recognize important privacy concepts such as privacy by design and privacy impact assessments, and include accountability requirements.
Monetary penalties are one mechanism in a suite of tools that the UK Information Commissioner’s Office (“ICO”) uses to encourage compliance with data protection regulations. The ICO generally uses monetary penalties to sanction deliberate or negligent breaches of the law, but the purpose is not to impose financial hardship but rather to “act as an encouragement towards compliance, or at least as a deterrent against non-compliance.” The following is a brief overview of the ICO’s authority to issue monetary penalties.
In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.
In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.
Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.
On January 25, 2012, the European Commission released a data protection law reform package, including its proposed General Data Protection Regulation (the “Proposed Regulation”). The UK Information Commissioner’s Office (“ICO”) has reacted positively to the Proposed Regulation, in particular commending efforts to strengthen the rights of individuals, the recognition of important privacy concepts such as privacy by design and privacy impact assessments, and new accountability requirements to ensure organizations properly demonstrate and document their data protection safeguards and procedures.
On December 28, 2011, UK Information Commissioner Christopher Graham outlined the ICO’s agenda for 2012 in a post on the ICO blog, highlighting the European Commission’s proposals for reviewing the EU data protection framework, the post-legislative scrutiny process with respect to the UK Freedom of Information Act (“FOIA”) and the ICO’s Information Rights Strategy. The Commissioner cautioned against allowing data protection compliance to fall by the wayside in the current, tough economic climate, especially given the inevitable reputational damage caused by big data breaches and the ICO’s power to impose fines.
On December 13, 2011, the Information Commissioner issued updated guidance on compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“Regulations”)). Organizations were given a twelve-month grace period to comply with the new law. Initial guidance on the Regulations was released on May 9, 2011, but the Information Commissioner characterized that guidance as merely a “starting point for getting compliant rather than a definitive guide,” signaling that further advice would follow if appropriate.
Members of Parliament on the House of Commons Justice Select Committee have called for courts in the United Kingdom to be given greater powers to imprison and fine individuals who breach the Data Protection Act (“DPA”). The Committee stated in its October 18, 2011 report that the current penalties for unlawfully obtaining personal data (under Section 55 of the DPA) are an inadequate deterrent, and urged the government to exercise its power to introduce prison sentences without delay. Although currently a magistrates’ court can issue fines of up to £5,000 for breaches of Section 55 (and the Crown Court can impose unlimited fines), in practice, penalties often are limited to only a few hundred pounds.
Hunton & Williams announces that Rosemary Jay, formerly head of the privacy practice at Pinsent Masons and the former head of the legal team at the UK Information Commissioner’s Office, will join the firm’s Privacy and Data Security practice in October. Ms. Jay will be based in the firm’s London office. As a senior lawyer, Ms. Jay will bring more than 20 years of data protection experience to Hunton & Williams, enhancing both the firm’s renowned privacy practice and its Centre for Information Policy Leadership.
On September 14, 2011, UK Information Commissioner Christopher Graham said that the private sector “isn’t as good as it thinks it is” when it comes to data protection compliance, and that many of the compliance problems that arise originate in the private sector. While giving evidence to the House of Commons Justice Select Committee, the Commissioner criticized the private sector and, in particular, banks and other financial services companies.
Lush Cosmetics Ltd. (“Lush”) has avoided a monetary penalty for its breach of the UK Data Protection Act 1998. Instead, the UK Information Commissioner’s Office (the “ICO”) has required Lush to sign an undertaking that obliges the company to “ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.”
On July 6, 2011, the UK Information Commissioner’s Office (the “ICO”) released its Annual Report and Financial Statements for 2010/11. Characterizing information as “the currency of democracy,” the report highlights the wide range of the ICO’s activities during the last twelve months, which focused on education and the provision of good practice guidance in addition to enforcement activities.
Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada. As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology. According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.
Two former employees of mobile phone provider T-Mobile have been ordered by a court in the United Kingdom to pay £73,700 (approximately $120,000) for the theft of T-Mobile customers’ personal data. The Chester Crown Court ordered David Turley and Darren Hames to pay £45,000 and £28,700 respectively, under confiscation orders, along with prosecution costs.
On June 6, 2011, Hunton & Williams hosted a panel discussion on what organizations in the UK, France, Germany and the Netherlands are doing to comply with the EU’s new cookie law. The webinar, Consent for Cookies: Preparing for the EU Cookie Law, featured David Evans, Group Manager of Business and Industry of the UK Information Commissioner’s Office, and Hunton & Williams Brussels-based associates Olivier Proust, Dr. Jörg Hladjk and Martijn ten Bloemendal. The panel was moderated by Bridget C. Treacy, partner in the London office of Hunton & Williams.
On May 26, 2011, the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke spoke before the EU Committee of the British Chamber of Commerce in Belgium. His remarks focused on data protection, a subject he characterized as one “heavily on the agenda” in Brussels and in many EU Member States. Clarke emphasized his own role as a proponent of data protection and a defender of civil liberties and individual freedom, and discussed the introduction into Parliament of a major bill to enhance individual freedom in the UK. Key measures in the bill, many of which respond to issues raised over the past few years by the UK Information Commissioner, include:
- Greater independence for the Information Commissioner
- Safeguards against misuse of counter-terrorism stop and search powers
- Further regulation of the use of closed-circuit television monitoring
- Reform of the regulations governing vetting and barring of ex-offenders and persons working with children and vulnerable adults
On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands. EU law on the use of cookies is changing. Opt-in consent will be required, but specific requirements may differ across the EU. What are organizations doing to ensure compliance with the new cookie law? Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take. Learn about cookie compliance in France, Germany and the ...
On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins. Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent. This change poses significant practical challenges for website operators. In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.
On May 11, 2011, the UK Information Commissioner’s Office (the “ICO”) published a new statutory code of practice on the sharing of personal data. As stated in the ICO’s press release, the code of practice covers best practices for both routine and one-off data sharing activities, and offers organizations tips for reducing the risk of inappropriate or insecure data sharing. By helping organizations understand how to share data appropriately, the code of practice should facilitate compliance with the Data Protection Act and minimize the risk of enforcement actions by the ICO or other regulators.
On April 15, 2011, the United Kingdom’s Department for Culture, Media and Sport (“DCMS”) announced that the UK will adopt the new EU rules on cookies without “gold-plating” the regulations by imposing additional national requirements, to help ensure that British companies can compete with the rest of Europe. As we previously reported, the UK government had reassured businesses that it would carry out the implementation in a manner that would minimize the impact on businesses and consumers.
On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”
On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.
The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards. The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts. The basis for the binding international agreement would be the Madrid ...
In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.
- Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
- A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.
On November 19, 2010, the UK Information Commissioner’s Office (the “ICO”) announced that Google has signed an undertaking committing it to improve its data processing practices. The undertaking follows an ICO investigation into the collection of payload data by Google Street View cars in the UK. Google’s Senior Vice President, Alan Eustace, signed the undertaking on behalf of Google, Inc.
The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK. The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”
While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.
On October 26, 2010, the Centre for Information Policy Leadership (the “Centre”) released its long-awaited paper, “Demonstrating and Measuring Accountability, Accountability Phase II – The Paris Project” at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Israel. This document is the result of the deliberations of an international working group that includes 60 representatives of business, civil society, government, data protection and privacy enforcement agencies, and the European Data Protection Supervisor. ...
On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK. The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly. Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.
On October 8, 2010, the UK Information Commissioner’s Office launched a consultation on a new statutory code of practice on the sharing of personal data.
As stated in the ICO’s press release, the draft code sets out a model of good practice, covering routine and one-off arrangements for sharing data with third parties. The code offers guidance on issues such as:
- The factors that an organization must take into account when deciding whether or not to share personal data
- The point at which individuals should be told that their data will be shared
- The security and staff training measures that must be implemented
- The rights of individuals to access their personal data
- Circumstances in which it is not acceptable to share personal data
The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.
Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website. The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.
In a statement released on July 29, 2010, the UK Information Commissioner's Office ("ICO") has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise "does not include meaningful personal details that could be linked to an identifiable person." This follows an assessment carried out by the ICO on a sample of the data in question at Google's London offices.
The UK Ministry of Justice has issued a Call for Evidence on the effectiveness of current data protection legislation in the UK. Responses must be submitted by October 6, 2010. “It will give the [UK] Government a solid evidence base to use in negotiations with other European Union parties. I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens,” said Minister of State for Justice, Lord McNally.
On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007. There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher. The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.
Demos, an independent UK-based think tank, has published a report describing the views of a cross-section of British people on how their personal data are used by the public and private sectors. Private Lives: A People’s Inquiry Into Personal Information (the “Report”) was researched in the context of the UK Information Commissioner’s Office’s consultation on the Personal Information Online Code of Practice. The Information Commissioner called for industry and research groups to provide context for the new Code of Practice. “What emerges from the study is a fascinating picture of a public who certainly care about information rights, but who are by no means hysterical about perceived threats to liberty or privacy,” observed UK Information Commissioner Christopher Graham.
On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection. The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.
On January 12, 2010, the UK government laid regulations before Parliament to bring into force civil monetary penalties of up to £500,000 ($800,000) for serious data breaches. These penalties are likely to take effect starting April 6, 2010. Significantly, the penalties will apply not only to data security breaches, but also to all serious breaches of the UK Data Protection Act 1998. Accordingly, collecting personal data for a sweepstakes contest then deliberately, and without consent, disclosing the data to a third party to populate a tracing database for commercial purposes might well be subject to a penalty.
Background
On November 9, 2009, the UK's Ministry of Justice launched a consultation seeking the public's views on the proposed implementation of a maximum penalty of £500,000 (approximately US$837,950) for serious breaches of the UK Data Protection Act 1998 (the "DPA"). This Consultation follows the Information Commissioners' publication of draft guidance this week, explaining the circumstances in which a fine will be imposed. The launch of the Consultation puts to rest recent speculation as to the level of fine likely to be imposed for a deliberate or serious breach of the DPA, including for data security breaches.
The DPA imposes obligations on data controllers that process personal data to: (i) process personal data fairly and lawfully; (ii) obtain personal data only for specified lawful purposes, and not further process personal data in any manner incompatible with such purposes; (iii) ensure that personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) ensure that personal data are accurate and, where necessary, kept up-to-date; (v) keep personal data only for as long as is necessary for the purposes for which they are collected; (vi) process personal data in accordance with individuals' rights; (vii) implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (viii) not transfer personal data to a jurisdiction outside the European Economic Area unless that jurisdiction affords adequate protection levels for individuals' rights and freedoms in relation to the processing of personal data.
Hunton & Williams is pleased to announce that Richard Thomas CBE, the former UK Information Commissioner, has joined the firm as Global Strategy Adviser. Richard Thomas was the UK’s Information Commissioner from November 2002 until his retirement at the end of June 2009. He was appointed by HM The Queen and held independent status, reporting directly to Parliament, on a range of regulatory, promotional and advisory responsibilities under the Data Protection Act 1998, the Freedom of Information Act 2000 and related laws. He also served as a member of the European Union’s Article ...
The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday. As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.
On September 23, 2009, the Information Commissioner's Office (the "ICO"), the UK's data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation's binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.
Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State's DPA acts as the lead authority on a company's BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.
The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.
The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”). The Regulations are expected to come into force as of October 1, 2009.
The UK Information Commissioner is initiating a consultation to develop a code of practice that will help companies address online privacy issues. It is anticipated that the code will provide guidance on the following matters:
- Operating a privacy-friendly website
- Rights and protections for individuals
- Privacy choices and default settings
- Cyberspace and territoriality
The UK Information Commissioner's Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.
The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners' Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.
Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code