Privacy & Information Security Law Blog

On July 27, 2015, Giovanni Buttarelli, the European Data Protection Supervisor (“EDPS”), published Opinion 3/2015 on the reform of Europe’s data protection laws, intended to “assist the participants in the trilogue in reaching the right consensus on time.” The Opinion sets out the EDPS’ vision for the regulation of data protection, re-stating the case for a framework that strengthens the rights of individuals and noting that “the time is now to safeguard individuals’ fundamental rights and freedoms in the data-driven society of the future.”

Recent class actions filed against Facebook and Shutterfly are the first cases to test an Illinois law that requires consent before biometric information may be captured for commercial purposes. Although the cases focus on biometric capture activities primarily in the social-media realm, these cases and the Illinois law at issue have ramifications for any business that employs biometric-capture technology, including those who use it for security or sale-and-marketing purposes. In a recent article published in Law360, Hunton & Williams partner, Torsten M. Kracht, and associate, Rachel E. Mossman, discuss how businesses already using these technologies need to keep abreast of new legislation that might affect the legality of their practices, and how businesses considering the implementation of these technologies should consult local rules and statutes before implementing biometric imaging.

On July 20, 2015, the United States Court of Appeals for the Seventh Circuit reversed a previous decision that dismissed a putative data breach class action against Neiman Marcus for lack of Article III standing. Remijas et al. v. Neiman Marcus Group, LLC, No. 14-3122.

Hunton & Williams is pleased to announce its participation with the Global Legal Group in the publication of the second edition of the book The International Comparative Legal Guide to: Data Protection 2015. Members of the Hunton & Williams Global Privacy and Cybersecurity team prepared several chapters in the guide, including the opening chapter on “Legislative Change: Assessing the European Commission’s Proposal for a Data Protection Regulation,” and chapters on Belgium, China, France, Germany, the United Kingdom and the United States.

On July 1, 2015, Connecticut’s governor signed into law Public Act No. 15-142, An Act Improving Data Security and Agency Effectiveness (the “Act”), that (1) amends the state’s data breach notification law to require notice to affected individuals and the Connecticut Attorney General within 90 days of a security breach and expands the definition of personal information to include biometric data such as fingerprints, retina scans and voice prints; (2) affirmatively requires all businesses, including health insurers, who experience data breaches to offer one year of identity theft prevention services to affected individuals at no cost to them; and (3) requires health insurers and contractors who receive personal information from state agencies to implement and maintain minimum data security safeguards. With the passing of the Act, Connecticut becomes the first state to affirmatively require businesses to provide these security services to consumers.

On July 16, 2015, the Federal Energy Regulatory Commission (“FERC”) issued a new Notice of Proposed Rulemaking (“NOPR”) addressing the critical infrastructure protection (“CIP”) reliability standards. The NOPR proposes to accept with limited modifications seven updated CIP cybersecurity standards. The NOPR also proposes that new requirements be added to the CIP standards to protect supply chain vendors against evolving malware threats and addresses risks to utility communications networks.

On July 10, 2015, the Federal Communications Commission (“FCC”) released a Declaratory Ruling and Order that provides guidance with respect to several sections of the Telephone Consumer Protection Act (“TCPA”). The Declaratory Ruling and Order responds to 21 separate requests from industry, government and others seeking clarifications regarding the TCPA and related FCC rules.

On July 10, 2015, the United States House of Representatives passed the 21st Century Cures Act (the “Act”), which is intended to ease restrictions on the use and disclosure of protected health information (“PHI”) for research purposes.

On July 14, 2015, pursuant to an implementation requirement of Government Regulation 82 of 2012, the Indonesian government published the Draft Regulation of the Minister of Communication and Information (RPM) of the Protection of Personal Data in Electronic Systems (“Proposed Regulation”). The Proposed Regulation addresses the protection of personal data collected by a variety of government agencies, enumerates the rights of those whose personal data is collected and the obligations of users of Information Communication Technology. Agencies to which the Proposed Regulation would apply include: the Directorate General of Immigration, which manages passport data; the Financial Services Authority, which regulates financial sector data; the Bank Indonesia, which regulates banking data; the Indonesian Consumers Foundation, which regulates protection of consumer data; the National Archives; and the Ministry of Health, which regulates health data and archives. The government provided a 10-day comment period for the proposal.

On July 6, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published a draft of the country’s proposed Network Security Law (the “Draft Cybersecurity Law”). A public comment period on the Draft Cybersecurity Law is now open until August 5, 2015.

On June 16, 2015, the Article 29 Working Party (the “Working Party”) adopted an Opinion on Privacy and Data Protection Issues relating to the Utilization of Drones (“Opinion”). In the Opinion, the Working Party provides guidance on the application of data protection rules in the context of Remotely Piloted Aircraft Systems, commonly known as “drones.”

On July 9, 2015, the National Telecommunications and Information Administration (“NTIA”) announced the launch of its first cybersecurity multistakeholder process, in which representatives from across the security and technology industries will meet in September to discuss vulnerability research disclosure.

On June 29, 2015, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was profiled in a Crain’s New York Business article entitled Lawyer Goes Into the Breach. The feature highlights the Hunton & Williams privacy team and the tireless work they do for their clients. Here is an excerpt from the article:

“Ms. Sotto came to her corner of the financial world a decade ago, after years working as an environmental lawyer. Spearheading Superfund cases was rewarding, but she was intrigued by the then-nascent field of mopping up messes for ...

How do we focus on individuals and ensure meaningful control and the empowerment of individuals in the modern information age? What data privacy tools would drive empowerment in the digital world of today and tomorrow, perhaps more effectively and more nimbly than traditional individual consent? At a time when many countries are legislating or revising their data privacy laws and organizations are searching for best practices to embed in their business models, these questions are more relevant today than ever. In an article published on July 2, 2015, in the International Association of Privacy Professionals’ Privacy Perspective, entitled Empowering Individuals Beyond Consent, Bojana Bellamy and Markus Heyder of the Centre for Information Policy Leadership at Hunton & Williams argue that consent is no longer the best or only way to provide control and protect individuals. There are alternative and additional tools in our toolkit that can deliver effective data privacy and greater individual empowerment.

Richard Thomas, former UK Information Commissioner and Global Strategy Advisor to the Centre for Information Policy Leadership, was invited to a unique event in Scotland last week.

Peter Hustinx, who retired as the European Data Protection Supervisor at the end of 2014, was awarded the Honorary Degree of Doctor of Science in Social Science by the University of Edinburgh.

On June 30, 2015, the French Data Protection Authority (the “CNIL”) summarized the results of the cookie inspections it conducted at the end of 2014.

On June 30, 2015, the Federal Trade Commission announced its new “Start With Security” business education initiative, which will provide businesses with information on data security and how to protect consumer information.