Privacy & Information Security Law Blog

On November 22, 2012, the Brussels-based publication European Voice published an editorial by U.S. Department of Commerce General Counsel Cameron Kerry entitled Avoiding a Data Divide Between the US and the EU. The article notes the importance of continued collaboration between the European Union and the United States as both assess their respective privacy frameworks to ensure that any changes encourage enhanced trade and strong economic growth, but also contain robust protections for consumers. Mr. Kerry’s editorial emphasizes the need to foster global privacy ...

On November 22, 2012, the UK Ministry of Justice released a written ministerial statement (“Statement”) announcing the publication of its Government Impact Assessment on the European Commission’s legislative reform package on the EU data protection framework. The European Commission has claimed that a regulation implementing a single set of data protection rules across the European Union would save businesses around €2.3 billion a year. In its Statement, the Ministry of Justice disagrees, stating that the Commission’s proposals will impose burdens that “far outweigh” the benefits. At a time of great economic upheaval across Europe, the Ministry of Justice asserts that the regulatory burden should be reduced, not increased, to stimulate growth, and that it is “difficult therefore to justify the extra red-tape and tick box compliance that the proposals represent.” The Ministry of Justice also notes that “[t]he UK Government is seriously concerned about the potential economic impact of the proposed data protection Regulation.”

On November 28, 2012, the UK Information Commissioner’s Office (“ICO”) issued monetary penalties totaling £440,000 to two owners of a marketing company that sent millions of unlawful spam SMS text messages over a period of three years.

On November 26, 2012, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published guidance on the two methods for de-identifying protected health information (“PHI”) in accordance with the HIPAA Privacy Rule. The guidance, which was required by the Health Information Technology for Clinical and Economic Health (“HITECH”) Act, has been developed over several years by OCR in collaboration with healthcare entities and other industry experts and builds upon the discussions from a workshop on de-identification that took place in March 2010.

On November 27, 2012, the International Chamber of Commerce of the United Kingdom (“ICC UK”) released the second edition of its cookie guidance (the “Guidance”). The ICC UK released the first edition of the Guidance in April of this year, and has produced this latest version to take into account updated guidance released by the UK Information Commissioner’s Office (“ICO”), the Article 29 Working Party Opinion 04/2012 on cookie consent exemption and new UK advertising rules on online behavioral advertising.

On November 19, 2012, 40 German advertising associations launched the “German Data Protection Council for Online Advertising,” a new initiative to coordinate and enforce self-regulation in the German online behavioral advertising (“OBA”) sector. The initiative is linked to the European Interactive Digital Advertising Alliance (“EDAA”), which manages the self-regulation efforts of the European online advertising industry.

On December 3, 2012, the Centre for Information Policy Leadership (the “Centre”) at Hunton & Williams will co-host a special International Association of Privacy Professionals (“IAPP”) KnowledgeNet meeting in Brussels, Belgium. The meeting will explore global developments in accountability in the context of the proposed EU Data Protection Regulation and the impact of accountability on data protection management.

Hunton & Williams is pleased to announce the firm maintained its top-tier “Band 1” ranking in Data Protection in the 2013 edition of Chambers UK. Our London-based principals also maintained their high rankings as leading Data Protection lawyers:

• Bridget Treacy, managing partner of the firm’s London office and head of the UK Privacy and Data Security practice, was ranked as a “Star Individual.”
• Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership at Hunton & Williams LLP, was ranked as a “Senior Statesman.”
• Rosemary Jay, a senior ...

In late October 2012, California Attorney General Kamala D. Harris began sending letters to approximately 100 mobile app operators, informing them that they are not in compliance with the California Online Privacy Protection Act (“CalOPPA”). Pursuant to CalOPPA, “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” must post a privacy policy that contains specified elements. A mobile app arguably could be an “online service” under CalOPPA, which provides that an online service operator that collects “personally identifiable information” and “fails to post its policy within 30 days after being notified of noncompliance” is in violation of CalOPPA. The law affects a wide range of mobile app operators because of its very broad definition of “personally identifiable information,” which includes any “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form,” such as a name, an email address or any other identifier “that permits the physical or online contacting of a specific individual.”

On November 16, 2012, European Data Protection Supervisor Peter Hustinx published an Opinion on the European Commission’s Communication on cloud computing (part of the Commission’s broader cloud computing strategy). The Opinion focuses on the accountability principle and emphasizes the importance of clearly defining the responsibilities of all parties involved in cloud computing, and analyzes specific cloud computing issues in the context of both the current EU data protection framework, as well as the proposed General Data Protection Regulation.

On November 15, 2012, the UK Office of Fair Trading (the “OFT”) launched a call for information to investigate whether offering “personalized pricing” based on data companies collect about consumers’ online behavior violates consumer protection legislation in the UK. The OFT will look at how companies gather data related to “consumers’ browsing history, purchases, demographic, hardware, operating system, etc and use this to personalise products and prices.” In particular, as indicated on the OFT’s website, the OFT will analyze:

On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on IT asset disposal for organizations (the “Guidance”) to explain “to data controllers what they need to consider when disposing of electronic equipment that may contain personal data.”

On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published “Anonymisation: Managing Data Protection Risk Code of Practice” (the “Code”). The purpose of the Code is to provide organizations with a framework for assessing the risks of anonymization. It also sets forth good practice recommendations that may be adopted by organizations to provide a “reasonable degree of confidence” that the publication and sharing of anonymized data will not lead to an “inappropriate disclosure of personal data.” The published Code follows a consultation on the same topic earlier this year. The ICO also announced the creation of the UK Anonymisation Network, which will promote the sharing of good practices related to anonymization across the public and private sectors.

On November 9, 2012, a federal District Court in Washington certified a national class and a Washington state sub-class in an action alleging that Papa John’s International, Inc. (“Papa John’s”) violated the Telephone Consumer Protection Act (“TCPA”) by sending unsolicited text messages advertising its pizza products. The court determined that plaintiffs had standing and satisfied all other requirements for class certification.

1. Falsely suggesting – through the incorporation of “Government Loan Department” in a company’s return address at the top of an advertisement, the use of a logo very similar to that of the United States Department of Housing and Urban Development, and the prominent display of a website address that includes the initials of the Federal Housing Administration – that a company is affiliated with a government agency or government-sponsored program (i.e., ads with misrepresentations about government affiliation);

• Explore how obligations on processers are likely to expand significantly;
• Learn how these new obligations will affect both processors and controllers; and
• Create a checklist for preparing for the changes ahead.

On November 13-15, 2012, delegates at the IAPP Europe Data Protection Congress in Brussels were given insight into how discussions with key policymakers are progressing. As European Parliament rapporteur and Member of the European Parliament Jan Philipp Albrecht aims to finalize the reform of the EU Data Protection Directive by the end of the current European Parliament’s mandate in 2014, this ambitious goal faces numerous hurdles.

In partnership with SC Magazine, we are pleased to announce that on November 22-23, 2012, SC Magazine will host its 2012 Virtual Summit “Tackling the Big 3: Clouds, Consumerisation, Cybercrime,” featuring Hunton & Williams partner Bridget Treacy. Following a year of sharp increases in data breaches and regulatory fines, the SC Summit will explore and focus on cybercrime, mobile devices and cloud security – three key priorities for 2013. Bridget Treacy and Paul Swarbrick, Chief Information Security Officer and Head of Cybersecurity for National Air Traffic Services, will open the Summit with their keynote presentation, “Where’s the Danger? From Cybercrime to Consumerisation to the Cloud, Today’s Most Potent Threats Unmasked.” Paul will discuss the data security issues that keep him awake at night and Bridget will offer vital, current perspective on the ever-changing legal landscape.

On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On November 10, 2012, the German working group on technical and organizational data protection matters published guidelines (in German) on the technical and organizational separation requirements for automated data processing on shared IT systems (the “Guidelines”). The working group is part of the Conference of the German Data Protection Commissioners, which recently concluded its 84th Conference in Frankfurt (Oder).

The UK Information Commissioner’s Office (“ICO”) recently published a questionnaire to gather feedback on how privacy seals might be used to improve data protection compliance and customer privacy awareness. The questionnaire is available online until November 30, 2012.

On October 30, 2012, the U.S. District Court for the Southern District of California ruled that an opt-out confirmation text sent by Citibank (South Dakota), N.A. (“Citibank”) did not violate the Telephone Consumer Protection Act (“TCPA”). Under a “common sense” interpretation, the court determined that Citibank’s opt-out text does not demonstrate the type of invasion of privacy the TCPA seeks to prevent.

On October 26, 2012, three resolutions were adopted by the closed session of the 34th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. Below we provide an overview of these resolutions.

Reporting from Washington, D.C., Hunton & Williams partner Frederick Eames writes:

Elections have consequences. What are the consequences of the 2012 election on U.S. federal privacy, data security and breach notice legislation? We outline some key developments in the U.S. House of Representatives and Senate and explain how these developments might affect legislative priorities and prospects for the 113th Congress beginning in 2013.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) announced that it will host the 35th International Conference of Data Protection and Privacy Commissioners on September 23-27, 2013, in Warsaw, Poland. The first two days will be dedicated to the closed session, with the open sessions and side events taking place September 25-27.

In February 2013, the GIODO will facilitate the Global Accountability Project for which the Centre for Information Policy Leadership acts as Secretariat.

On October 26, 2012, the Federal Trade Commission finalized its settlement agreements with two businesses that allegedly exposed thousands of customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on the companies’ computer systems. The approved settlements prohibit Georgia auto dealer Franklin’s Budget Car Sales, Inc. (“Franklin”) and Utah-based debt collector EPN, Inc. (“EPN”) from misrepresenting their privacy and information security practices and requires both businesses to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years. The settlement with Franklin also bars the company from violating the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule and Privacy Rule.

On November 7, 2012, the Federal Trade Commission announced that it had settled charges against payday lending and check cashing companies alleged to have improperly disposed of consumers’ personal information. In its complaint, the FTC maintained that PLS Financial Services, Inc., and The Payday Loan Store of Illinois violated the FTC’s Disposal Rule as well as the Gramm-Leach-Bliley Act’s Privacy Rule and Safeguards Rule by disposing of documents that contained consumers’ Social Security numbers, bank account numbers and credit reports in unsecured dumpsters near the companies’ payday lending and check cashing retail stores. The FTC also alleged that the companies violated the FTC Act by misrepresenting that they would reasonably protect consumer information.

On October 29, 2012, the UK Information Commissioner’s Office (“ICO”) served private sector financial services company The Prudential Assurance Company Limited (“Prudential”) with a monetary penalty of £50,000 in connection with a serious violation of the Data Protection Act 1998 (“DPA”). The violation concerned a mix-up involving Prudential customer details. In March 2007, the customer records of two individuals who shared the same first name, surname and date of birth were mistakenly merged into a single customer record. Over the course of the following three years, mortgage and pension policy information relating to each customer was routinely sent to the wrong individual until Prudential took steps to separate the two customers’ records in September 2010.

On October 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a consultation on changes to the notification process in the UK (the “Consultation”), which will be open for comment until November 30, 2012. The purpose of the Consultation is to provide the ICO with feedback on its proposed changes regarding: (1) whether an online and telephone payment service would be beneficial to data controllers, (2) whether the inclusion of contact details for information requests is useful and (3) whether the format of the public register should become narrative-based. The ICO is also seeking input regarding whether these changes would make the public register more meaningful and notification simpler for data controllers.

On October 24, 2012, the UK Justice Select Committee (the “Committee”), appointed by the House of Commons to examine the expenditure, administration and policy of the UK Ministry of Justice, published its opinion on the proposed General Data Protection Regulation (the “Proposed Regulation”) and proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”). In the opinion, the Committee agrees that new proposals are necessary, both to update the existing data protection framework and to “confer on individuals their new rights and freedoms.” The Committee expresses reservations, however, regarding a number of key issues, and concludes that the European Union data protection proposals “need to go back to the drawing board.” The Committee notes that in its present form, the Proposed Regulation will not produce a “proportionate, practicable, affordable or effective system of data protection in the EU.”

On October 26, 2012, following the Justice Council’s meeting, Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, delivered a speech highlighting that the Commission’s proposed data protection law reform package is currently at a crucial stage in the negotiation process. Commissioner Reding stated that “[a] high level of data protection will turn the European Union into an international standard setter” and that “[o]nly a high level of data protection will generate trust between citizens and private enterprises.” Commissioner Reding conceded, however, that “[w]e do not want rules that place an excessive burden on business,” and that the Commission is prepared to make certain concessions relating to the draft proposals in order to “strike the right balance.”