Privacy & Information Security Law Blog

On March 8, 2013, the German government published a response to a formal inquiry from one of the German Parliament’s parties on the international security, data protection and surveillance implications of cloud computing. The response describes international cooperation between German and foreign law enforcement agencies that have used mutual legal assistance treaties to obtain cloud data in foreign jurisdictions. An earlier study by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs considered the scope of U.S. laws that allow surveillance of non-U.S. residents in a cloud computing context. The German government’s response now provides information on how German law enforcement agencies obtain data from clouds outside their jurisdiction (e.g., in the United States) pursuant to mutual legal assistance treaties.

On March 8, 2013, a U.S. federal appeals court issued a decision in the case United States v. Cotterman, holding that the federal government must have “reasonable suspicion” of criminal activity to conduct a forensic search of laptops and similar devices in the possession of individuals attempting to cross the border. The case arose after Howard Cotterman attempted to enter the United States by car at a checkpoint on the Mexican border. When border agents determined that he had a criminal record related to sexual misconduct, they seized his laptop and attempted to search it. They initially discovered some password-protected files but no proof of illegal activity and allowed him to enter the country but did not return his laptop. The agents then subjected the computer to a forensic analysis and discovered it contained child pornography in portions of the hard drive that had been deleted or protected with passwords. The federal district court ordered suppression of this evidence in the criminal case against Cotterman on the ground that the agents’ forensic analysis of his computer violated the Fourth Amendment’s prohibition on warrantless searches.

On March 28, 2013, the Department of Commerce’s Notice of Inquiry into “Incentives to Adopt Improved Cybersecurity Practices” was published in the Federal Register (78 Fed. Reg. 18954). This Notice, which includes a series of broad questions for owners of the nation’s critical infrastructure, follows up on earlier Commerce inquiries focused on incentives for noncritical infrastructure. The Notice states that Commerce will use the responses it receives to evaluate a set of incentives designed to encourage owners of critical infrastructure to participate in a voluntary cybersecurity program. The Notice also indicates that Commerce will use the responses to inform its evaluation of whether the incentives would require legislation or could be implemented pursuant to existing law and authorities. In addition, the Notice provides that Commerce may use the responses to develop a broader set of recommendations that would apply to U.S. industry as a whole.

On March 21-22, 2013, the data protection authorities (“DPAs”) of the Baltic states of Estonia, Latvia and Lithuania met in Riga, Latvia, for their second annual meeting to discuss several practical cooperation matters regarding data protection.

Hunton & Williams LLP is pleased to announce that Lisa J. Sotto, partner and head of the firm’s Global Privacy and Data Security practice, has been named to The National Law Journal’s “The 100 Most Influential Lawyers in America” list. Last published in 2006, this is only the eighth time this list of legal luminaries has been compiled since it was first established in 1985 as “Profiles in Power.”

On March 27, 2013, the UK Government announced the Cyber Security Information Sharing Partnership (“CISP”), a partnership between government and industry to share intelligence on cybersecurity threats.

Introduction of the CISP follows a successful pilot program across key UK sectors and is part of the UK’s Cyber Security Strategy to facilitate information-sharing on cyber threats. It introduces a secure web portal where government and industry partners can exchange real-time information regarding threats and vulnerabilities they have identified. It also sets up a team of expert analysts, the Fusion Cell, to draw together a single intelligence picture of cyber threats across the UK. It is understood that the Fusion Cell will be staffed by analysts drawn from industry, as well as the law enforcement and intelligence communities.

On March 26, 2013, the Article 29 Working Party issued a press release on the recent developments concerning cooperation between the EU and the Asia-Pacific Economic Cooperation group (“APEC”) on cross-border data transfer rules. A joint EU-APEC committee, which includes the French and German data protection authorities as well as the European Data Protection Supervisor and the European Commission, has been studying similarities and differences between the EU’s binding corporate rules (“BCRs”) framework and APEC Cross-Border Privacy Rules. The committee’s goal is to facilitate data protection compliance in this area for international businesses operating in the EU and the APEC region, including by creating a common frame of reference for both sets of cross-border data transfer rules.

On March 1, 2013, the Irish Presidency published a note to the European Council of Ministers regarding its progress on the European Commission’s proposed General Data Protection Regulation (“Proposed Regulation”). The Note details the Irish Presidency’s work to bring a more risk-based approach to the Proposed Regulation.

On March 22, 2013, Peru issued the implementing regulations of its new data protection law. The Reglamento de la Ley No 29733, Ley de Protección de Datos Personales (“Regulations”) provide detailed rules on a variety of topics, including the following:

• Territorial scope;
• notice and consent;
• data transfers;
• processing of personal data relating to children and adolescents;
• data processing in the communications and telecommunications sectors;
• outsourcing;
• information security;
• data subjects’ rights;
• registration of databases;
• codes of conduct; and
• enforcement.

On March 20, 2013, the French Data Protection Authority (“CNIL”) issued (in French) guidance on keylogger software (the “Guidance”). Keylogger software enables an employer to monitor all the activities that take place on an employee’s computer (such as every key typed on the computer’s keyboard and every screen viewed by the employee), without the employee’s knowledge.

On March 20, 2012, the UK Information Commissioner’s Office announced that it has issued a monetary penalty of £90,000 against DM Design Bedrooms Ltd. (“DM Design”) for making thousands of unwanted marketing calls.

On March 19, 2013, the French Data Protection Authority (“CNIL”) announced (in French) its annual inspection program, providing an overview of its inspections of data controllers in 2012 and a list of inspections that it plans to conduct in 2013. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and has access to data controllers’ electronic data and data processing programs.

On March 20, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (”Proposed Regulation”). The LIBE Committee Chair, Juan Fernando López Aguilar, noted that 2,783 amendments to the Proposed Regulation and 504 amendments to the proposed Police and Criminal Justice Directive (“Proposed Directive”) have been tabled.

As reported in the Hunton Employment & Labor Perspectives Blog:

On March 19, 2013, in Standard Fire Insurance Co .v. Knowles, the United States Supreme Court ruled that stipulations by a named plaintiff on behalf of a proposed class prior to class certification cannot serve as the basis for avoiding federal jurisdiction under the Class Action Fairness Act of 2005 (“CAFA”).

On March 14, 2013, the United States District Court for the Northern District of California granted a motion to prohibit the government from issuing National Security Letters (“NSLs”) to electronic communication service providers (“ECSPs”) requesting “subscriber information” and enforcing nondisclosure clauses contained in such letters. The nondisclosure clauses are intended to prevent ECSPs from disclosing that they received an NSL. The court also held that the sections of two federal statutes relating to the nondisclosure provisions of NSLs, 18 U.S.C. §2709(c) and 18 U.S.C. §3511(b), (collectively, the “NSL Nondisclosure Statutes”) were unconstitutional because they violated the First Amendment as well as separation of powers principles. In light of the significant constitutional and national security implications, the court stayed enforcement of its judgment pending appeal to the Ninth Circuit, or for 90 days if no appeal is filed.

On February 12, 2013, the UK Information Commissioner’s Office published a further analysis of the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This latest analysis supplements the initial analysis paper on the Proposed Regulation published on February 27, 2012. Although the general views expressed in its initial paper stand, the ICO has now provided greater detail regarding its views of the substantive provisions of the Proposed Regulation.

On March 15, 2013, European Data Protection Supervisor Peter Hustinx sent a letter to Juan Fernando López Aguilar, Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), with his comments regarding certain aspects of the European Commission’s proposed revised data protection framework. On March 20, 2013, Peter Hustinx was invited to present his comments during a LIBE Committee meeting, together with the President of the Article 29 Working Party, Jacob Kohnstamm.

On March 12, 2013, the UK Government Justice Committee published a report on the functions, powers and resources of the UK Information Commissioner’s Office (the “Report”). The Report highlights several key issues raised during an oral evidence session held with the UK Information Commissioner, Christopher Graham, and his two Deputy Commissioners, David Smith and Graham Smith. The Justice Select Committee published the Report to draw these key issues to the attention of the UK Parliament.

On March 14, 2013, the 85th Conference of the German Data Protection Commissioners concluded in Bremerhaven. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Waltham, Massachusetts, on Monday, March 25 from 8:30 – 11:30 a.m. EST. Seminar participants will hear from a number of Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments involving the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on your company and its compliance with laws and privacy regulations in the United States, Asia and Europe.

On February 27, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) addressing personal data protection issues related to the development and use of applications on mobile devices. The Opinion identifies the key data protection risks associated with mobile apps and clarifies the legal framework and obligations applicable to the various parties involved in the development and distribution of mobile apps, including app stores, app developers, operating system and device manufacturers and advertisers.

On March 7, 2013, the UK Information Commissioner’s Office (“ICO”) published guidance (the “Guidance”) on Bring Your Own Device (“BYOD”) to explain to data controllers “what they need to consider when permitting the use of personal devices to process personal data for which they are responsible.” BYOD refers to the use of individuals’ personal devices to access and store corporate information.

On March 5, 2013, the German Federal Ministry of the Interior published proposed amendments (in German) to the German Federal Office for Information Security Law. These proposed amendments are significant because they establish a new duty to notify the German Federal Office for Information Security in the event of a cybersecurity breach.

As reported in The Washington Post, large financial institutions are increasingly disclosing cyber attacks, and potential vulnerability to cyber threats, in their annual reports filed with the Securities and Exchange Commission. Numerous banks disclosed such attacks in their 2012 reports, even in cases where the ongoing threat of the attacks did not result in any material harm to the institution. For example:

On March 8, 2013, the Federal Trade Commission issued a staff report entitled Paper, Plastic… or Mobile? An FTC Workshop on Mobile Payments (the “Report”). The Report is based on a workshop held by the FTC in April 2012 and highlights key consumer and privacy issues resulting from the increasingly widespread use of mobile payments.

Although the FTC recognizes the benefits of mobile payments, such as ease and convenience for consumers and potentially lower transaction costs for merchants, the Report notes three areas of concern with the mobile payments system: (1) dispute resolution, (2) data security and (3) privacy.

On March 12, 2013, Connecticut Attorney General George Jepsen announced that a coalition of 38 states had entered into a $7 million settlement with Google Inc. (“Google”) regarding its collection of unsecured Wi-Fi data via the company’s Street View vehicles between 2008 and 2010. The settlement is the culmination of a multi-year investigation by the states that we first reported on in 2010.

The UK Information Commissioner’s Office has opened a public consultation on a proposed code of practice for the press (the “Consultation”). Pursuant to Section 51 of the UK Data Protection Act 1998 (the “DPA”), the ICO has the authority to issue industry codes of practice.

On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial Transactions” (“Section 105(a)”). The court ruled that (1) a ZIP code constitutes personal identification information under the Massachusetts law; (2) a plaintiff may bring an action for a violation of the Massachusetts law absent identity fraud; and (3) the term “credit card transaction form” refers equally to electronic and paper transaction forms. The Massachusetts court’s determination that a ZIP code constitutes personal identification information is similar to the determination in Pineda v. Williams-Sonoma Stores, Inc., in which the California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act. More than 15 states, including Massachusetts and California, have statutes limiting the type of information that retailers can collect from customers.

On February 20, 2013, the UK Court of Appeal issued its decision in Smeaton v Equifax Plc, [2013] EWCA Civ 108, overturning an award of damages to an individual about whom a credit reference agency had maintained an inaccurate record.

On March 8, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

On March 7, 3013, Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, provided testimony to the International Trade Commission at a hearing on “Digital Trade in the U.S. and Global Economies.” The ITC is investigating digital trade issues, including how privacy law may act as an impediment to international digital trade.

In his testimony, Abrams outlined how privacy and data protection law affect digital trade, addressing issues such as the legal obstacles to big data and analytics and how data protection law creates barriers to ...

On March 5, 2013, the French Data Protection Authority (the “CNIL”) announced that the French High Council for Statutory Auditors (“H3C”) and the U.S. Public Company Accounting Oversight Board (“PCAOB”) signed a Statement of Protocol (the “Protocol”) on January 31, 2013, to govern the exchange of information, including personal data, between them.

On March 6, 2013, the French Data Protection Authority (the “CNIL”) announced that it launched a consultation of relevant private and public actors for the purpose of determining whether the CNIL should adopt an initiative on “Open Data.”

Two recently-published German court decisions have clarified German employee data protection law. The decisions validate the independence of works councils in determining how to comply with data protection law and clarify when unused employee email accounts can be deleted.

On March 1, 2013, the German Federal Council (Bundesrat) passed a new registration law after insisting on a number of important amendments (in German). Among other issues covered in the bill, the new law regulates how businesses can obtain the registered addresses of individuals in Germany from Germany’s public authorities (“official address data”) and use that information for commercial purposes.

On February 27, 2013, the Article 29 Working Party (the “Working Party”) issued a statement on the European Commission’s proposed revised data protection framework (“Statement”), including the proposed General Data Protection Regulation (“Proposed Regulation”). The Working Party offered amendments to the Proposed Regulation in the form of two Annexes to the Statement on the topics of competence and lead data protection authority (“DPA”) and the exemption for household or personal activities.

On February 28, 2013, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) announced the release of “Big Data and Analytics: Seeking Foundations for Effective Privacy Guidance,” a paper intended to help organizations and policymakers develop a governance framework for using analytics in a way that protects privacy and promotes innovation. The paper, which is the product of an industry-sponsored initiative led by the Centre, suggests a two-phase approach that separates how organizations discover what data can reveal from how those insights are applied to knowledge development and decisionmaking. This approach lays the foundation for workable, effective governance.

On February 26, 2013, the United States Supreme Court decided in Clapper v. Amnesty International that U.S. persons who engage in communications with individuals who may be potential targets of surveillance under the Foreign Intelligence Surveillance Act (“FISA”) lack standing to challenge the statute’s constitutionality. The Supreme Court determined that the plaintiffs’ alleged injuries were not “certainly impending” and that the measures they claimed to have taken to avoid surveillance were not “fairly traceable” to the challenged statute. Although this 5-4 decision would not be considered a “privacy” or “data breach” case, the Court’s analysis will have a significant impact on such cases going forward, and may thwart the ability of individuals affected by data breaches to assert standing based on possible future harm.