Privacy & Information Security Law Blog

In a landmark holding, the Israeli Supreme Court restricted the unmasking of an anonymous defendant on an online defamation case, holding that online anonymity is a constitutional right derived from the right to privacy and free speech.

Justice Michael Kirby was invited by the Organization for Economic Cooperation and Development (the “OECD”) to open the celebration of the 30th anniversary of the adoption of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.  Justice Kirby led the group of experts who worked from 1978-1980 to develop the Guidelines, which have formed the basis of modern privacy and data protection law.

Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches.  Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities:  businesses, processors and vendors.  Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”

Provisions of the FTC’s revised rule that regulate advertisements for free credit reports become effective April 2, 2010.  As required by the Credit CARD Act of 2009, the FTC promulgated the revised rule on February 22, 2010, to prevent the deceptive marketing of free credit reports by companies that required consumers to sign up for paid products and services such as credit monitoring in order to receive the reports. 

On February 19, 2010, the Court of Appeals of Versailles (the “Court”) upheld the unlimited seizure and review of a company’s emails by several agents of the French Competition Authority (Autorité de la Concurrence).  The agents had been authorized by a lower court judge to inspect the emails pursuant to an investigation into an alleged abuse of dominant position in the pharmaceutical market.

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.

On March 17, 2010, the Federal Trade Commission convened the last of its three-part series of roundtable discussions entitled “Exploring Privacy.”  In her opening remarks, outgoing Commissioner Pamela Jones Harbour emphasized the critical importance of privacy to consumers, stating that “consumer privacy cannot be run in beta,” and that companies often inappropriately expose consumer data during new product rollout.  David Vladeck, Director of the FTC’s Bureau of Consumer Protection, then set the stage by invoking the “notice is broken” theme that recurred during the first two roundtables on December 7, 2009, and January 28, 2010, and was echoed by participants in the March 17 event.

The Wall Street Journal is reporting that outgoing FTC Commissioner Pamela Jones Harbour criticized technology companies for publicly exposing consumer data, particularly during the rollout of new products.  Ms. Harbour lamented that companies do not take consumer privacy seriously.  She singled out the launch of Google Buzz as irresponsible conduct by “one of the greatest technology leaders of our time.”  Consumer advocates raised alarm when Google Buzz initially established Google Gmail users’ social network connections automatically based on the users’ email and chat contacts, and made that list public by default.  Ms. Harbour reiterated the advocates’ sentiment by stating that, from the time the product launched, consumers rather than Google should have decided whether or not to subscribe to the features that could expose their contact data.  Soon after the launch, Google changed the defaults to allow users more control.  Google put forth a conciliatory message, stating that user transparency and control are top priorities for the company and that Google is continuing to improve Buzz based on the feedback the company receives.

In a decision handed down on February 25, 2010, the French Constitutional Court ruled that the right to privacy derives from Article 2 of the Declaration of Human Rights, and is therefore considered a constitutional right under French law.  The Court also ruled that the legislature must strike a balance between the right to privacy and other fundamental interests, such as preventing threats to public safety, which are necessary to preserve constitutional rights and principles.

In conjunction with the celebration of its 10th anniversary on March 16, the International Association of Privacy Professionals is releasing a white paper on the future of the privacy profession entitled, “A Call for Agility: The Next-Generation Privacy Professional.”  When the IAPP initially was formed, the role of the chief privacy officer was newly emerging following the dot-com boom.  Over the past 10 years, the exponential increase in data collection and retention have propelled the privacy professional into senior levels of management.  Reflecting the growth of the privacy professional’s role, the IAPP’s membership has grown to include over 6,500 privacy professionals from businesses, governments and academic institutions across 50 countries.

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

According to BNA’s Privacy Law Watch, on March 8, 2010, Senator Patrick Leahy asked President Obama to nominate members for the dormant Privacy and Civil Liberties Oversight Board.  The Board, which was created in 2004 upon the recommendation of the 9/11 Commission, focuses on ensuring that privacy and civil liberties concerns are incorporated into anti-terrorism laws and regulations.  Although President Obama had pledged in May 2009 to reconstitute the board, which has had no members since January 2008, privacy advocates say that his focus on cybersecurity issues has delayed ...

On March 9, 2010, the European Court of Justice ruled that the Federal Republic of Germany’s practice of “state supervision” over data protection authorities violates EU Data Protection Directive 95/46/EC.  The case, brought by the EU Commission, is a milestone which will force Germany to change the structure of its DPA system and could have ramifications in other countries as well.

The Court’s decision is based on Article 28(1) of the Directive, which requires that data protection authorities (“DPAs”) act with “complete independence.” German law makes a distinction with regard to DPA supervision depending on whether the data processing is carried out by public or non-public bodies.  There are therefore different authorities responsible for monitoring public entities’ compliance with data protection provisions versus those that monitor compliance by private parties and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) outside the public sector (such as transportation and utility companies).

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services.  The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers.  The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity ...

On March 3, 2010, the Senate unanimously confirmed the nominations of Julie Brill and Edith Ramirez to serve as FTC Commissioners for seven-year terms.  Most recently, Ms. Brill has served as Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina.  She was formerly Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and has served as Chair of the Committee on Privacy for the National Association of Attorneys General.  Edith Ramirez is a partner at Quinn Emanuel Urquhart Oliver & Hedges, LLP in Los Angeles ...

Alberta’s Information and Privacy Commissioner, Frank Work, issued a news release regarding the recent Court of Appeal of Alberta decision in Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner).  In the case, the Court held that the Information and Privacy Commission has no authority to extend investigation time limits under the Personal Information Protection Act (“PIPA”) after the statutory time limit has expired.  Further, if the Commissioner extends the time in an inquiry process within the time limit, he must provide reasons for the extension, and his decision will be subject to judicial review.  The Court noted that “[b]lanket or routine extensions seem unlikely to be regarded as reasonable if they cannot also be justified in the specific circumstances of the case.”  PIPA is provincial legislation that governs the use of personal information by private sector organizations in Alberta.

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection.  The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.

On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”).  Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months.  This information may be retrieved for law enforcement and safety purposes.  Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history. 

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC.  The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms.  The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain ...