Privacy & Information Security Law Blog

On July 10, 2012, the Federal Financial Institutions Examination Council (“FFIEC”) released a statement on outsourced cloud computing activities. The statement, which was prepared by the FFIEC Information Technology Subcommittee, discusses key risk considerations associated with using third-party vendors to implement cloud computing solutions, and identifies applicable risk mitigation considerations contained in the various booklets that comprise the FFIEC IT Examination Handbook. The statement indicates that the FFIEC agencies “consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.” The paper focuses on addressing key risks of outsourced cloud computing identified in existing guidance. Key points include the following:

On July 24, 2012, a bipartisan group of eight members of Congress sent letters to nine major data brokerage companies requesting information on how the companies collect, assemble and sell consumer information to third parties. Representatives Ed Markey (D-MA) and Joe Barton (R-TX), who serve as co-chairmen of the Bipartisan Congressional Privacy Caucus, are leading the inquiry. The Privacy Caucus, which is an ad hoc group rather than a formally constituted congressional committee, is comprised of members who have a common interest in privacy issues. The Caucus cannot call formal hearings, compel production of materials or pass legislation.

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

As reported in BNA’s Privacy & Security Law Report,on June 25, 2012, a federal district court in California ruled that the California Supreme Court’s 2011 Pineda decision, which held that requesting and recording zip codes during credit card transactions violates the state’s Song-Beverly Credit Card Act, applies retrospectively to OfficeMax’s collection of zip codes from its customers. The Plaintiffs in Dardarian v. OfficeMax had filed a class action lawsuit against OfficeMax over the company’s collection of ZIP code information from customers at the point of sale, a practice that OfficeMax ended the day the Pineda decision was handed down.

Lisa Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams, was interviewed on July 18, 2012 about her participation in the USAID-funded Judicial Reform and Government Accountability Project’s initiative to educate and provide data protection awareness to the Serbian government. As we reported last week, Sotto was invited to Belgrade to assist Rodoljub Sabic, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, and the JRGA Project. Sotto, who also is Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, spent last week advising the Commission on steps to enhance Serbia’s data protection framework.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce initiated a multistakeholder process to develop guidance for transparency in the mobile environment. The NTIA has announced that they will schedule a second meeting in August, and encouraged small group discussions in the interim. This is not the first multistakeholder process to wrestle with transparency in the mobile environment, and those previous efforts – which date back almost a decade – may prove useful to such discussions.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce convened the first meeting of its multistakeholder process to develop industry codes of conduct. As we reported in June, the stated purpose for this meeting, entitled “Seeking Common Ground Regarding Mobile Application Transparency,” was to establish “a working dialogue that will eventually lead to a code of conduct that is broadly adopted.” Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, opened the session, which he characterized as an effort to highlight the key issues and explore topics to be addressed. Strickling emphasized that the structure and approach to the work would likely differ from that with which participants were familiar, and that it would be important to arrive at a constructive process that encourages collaboration and open engagement.

On June 27, 2012, the Hong Kong Legislative Council passed a bill to amend the Personal Data (Privacy) Ordinance (the “Ordinance”). The amendment will become effective in phases. Most provisions will become effective on October 21, 2012, and the others will take effect on a day to be announced by publication in the Hong Kong Government Gazette.

In June, China’s National Internet Information Office and its Ministry of Industry and Information Technology jointly published draft amendments to the Regulation on Internet Information Services (the “Regulation”). The amendments update the Regulation to cover new issues related to the rapid development of Internet services in China since the Regulation first took effect on September 25, 2000. Although the Regulation originally contained no specific provisions directly pertaining to the protection of personal information, the draft amendments do address personal information protection issues.

The Department of Health and Human Services Office for Civil Rights (“OCR”) has posted an audit protocol on its website to provide information about the procedures currently being used by OCR as part of its new audit program.

The protocol is presented in a sortable table format listing the applicable sections of the relevant rules and the established performance criteria, key activities and audit procedures associated with each section. The audit protocol for the HIPAA Security Rule also lists whether the implementation specification is required or addressable pursuant to that Rule.

On July 1, 2012, the Article 29 Working Party (the “Working Party”) adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both data controllers and data processors in the European Economic Area (the “EEA”). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: (1) lack of control over the data and (2) lack of information on data processing. Cloud computing and the range and geographical dispersion of the various parties involved also have raised significant uncertainty in terms of applicable law, which the Working Party previously analyzed in its Opinion 8/2010. Below is an overview of the different topics covered in the Opinion issued on July 1.

On June 27, 2012, the Conference of the German Federal and State Data Protection Commissioners (the “Conference”) issued a Resolution and a comprehensive guidance paper regarding data protection compliance with respect to smart metering.

Smart metering is the use of intelligent energy networks and meters for monitoring and billing purposes. According to the Resolution, smart meter systems help guarantee a sustainable energy supply in terms of resource efficiency, environmental friendliness and the efficient production, distribution and use of energy. The guidance paper issued by the Conference describes and analyzes the individual processing activities involved in the various uses of smart metering in light of German data protection law. In particular, the guidance paper describes the “use cases” in terms of the respective level of data protection involved.