Privacy & Information Security Law Blog

In a statement released on July 29, 2010, the UK Information Commissioner's Office ("ICO") has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise "does not include meaningful personal details that could be linked to an identifiable person."  This follows an assessment carried out by the ICO on a sample of the data in question at Google's London offices.

On July 27, 2010, Senator John Kerry (D-Mass.) announced his intention to introduce an online privacy bill to regulate the collection and use of consumer data.  “Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress,” Kerry said in a prepared statement.  Senator Kerry is the Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet.  He indicated that his bill would go beyond the regulation of targeted ...

Rite Aid has agreed to pay $1 million and implement remedial measures to resolve Department of Health and Human Services (“HHS”) and Federal Trade Commission allegations that it failed to protect customers’ sensitive health information.  The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications.  The FTC took issue with this practice in light of the pharmacy’s alleged claims that “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously . . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.”  At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act.

On July 20, 2010, Hunton & Williams announced the release of the first edition treatise Privacy and Data Security Law Deskbook (Aspen Publishers) by lead author Lisa J. Sotto, managing partner of the firm’s New York office and head of the firm’s global Privacy and Information Management practice.  The deskbook provides a detailed overview (with thousands of specific citations for the legal practitioner) of those areas of information privacy and data security law that have the greatest impact on and are most relevant to U.S. businesses operating in the global arena.  In addition ...

On July 14, 2010, the Article 29 Working Party issued a press release regarding its findings on the implementation of the European Data Retention Directive (Directive 2006/24/EC).  The findings, compiled in a report to be contributed to the European Commission’s forthcoming evaluation of the Directive, indicate that the obligation to retain all telecom and Internet traffic data is not being applied correctly or uniformly across the EU Member States.  Specifically, the Working Party’s press release states that service providers retain and share data in ways contrary to the Directive.  The Working Party further noted that Member States’ reluctance to provide statistics on the use of retained data limits the ability to verify the value of data retention practices.

On July 21, 2010, a coalition of 38 states sent a letter to Google demanding more information about the company’s collection of data from unsecured wireless networks by its Google Street View vehicles.  The letter was sent by Connecticut Attorney General Richard Blumenthal on behalf of the executive committee of a multistate working group investigating Google Street View practices.  As we reported on June 22, Blumenthal has spearheaded the nationwide investigation into Google Street View.  Among other things, the letter asks Google to identify who was responsible for the software code that allowed the Street View cars to collect data broadcast over Wi-Fi networks, and for a list of states where unauthorized data collection occurred.  The letter also asks Google for details regarding whether any of the data was disclosed to third parties or used for marketing purposes.

On July 7, 2010, the German Federal Office for Information Security, the Bundesamt für Sicherheit in der Informationstechnik (“BSI”), published a basic paper on data security and data protection for radio-frequency identification (“RFID”) applications.  The paper, Technical Guidelines RFID as Templates for the PIA-Framework, describes how to use RFID in compliance with data protection requirements, and explains the relationship between the BSI’s technical guidelines for the secure use of RFIDs and the European Commission’s Privacy Impact Assessment (“PIA”) Framework.

On June 1, 2010, Ukraine’s parliament adopted a bill on the protection of personal data which introduces a comprehensive regulatory regime for data processing in the country.  The bill was signed by the President of Ukraine on June 24, 2010, and will come into force on January 1, 2011.

On July 19, 2010, the Article 29 Working Party published a new set of frequently asked questions aimed at addressing some of the issues raised by the European Commission’s new Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU).  Among other things, the FAQs address the scope of the new model clauses and whether they can be used for intra-EEA data transfers.  The FAQs also clarify certain issues related to sub-processing.

The UK Ministry of Justice has issued a Call for Evidence on the effectiveness of current data protection legislation in the UK.  Responses must be submitted by October 6, 2010.  “It will give the [UK] Government a solid evidence base to use in negotiations with other European Union parties.  I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens,” said Minister of State for Justice, Lord McNally.

The European Union’s Article 29 Working Party adopted a detailed recommendation on accountability which was submitted to the European Commission on July 13, 2010.  Opinion 3/2010 elaborates on the Working Party’s 2009 recommendation to include a new principle on accountability in the revised EU Data Protection Directive.  The Opinion’s executive summary states:

“EU data protection principles and obligations are often insufficiently reflected in concrete internal measures and practices.  Unless data protection becomes part of the shared values and practices of an organization, and responsibilities for it are expressly assigned, effective compliance will be at considerable risk, and data mishaps are likely to continue.

…this Opinion puts forward a concrete proposal for a principle on accountability which would require data controllers to put in place appropriate and effective measures to ensure that principles and obligations set out in the Directive are complied with, and to demonstrate so to supervisory authorities upon request.”

David Vladeck, Director of the FTC’s Bureau of Consumer Protection, recently sent a letter to creditors of XY Magazine, warning that the creditors’ acquisition of personal information about the debtor’s subscribers and readers in contravention of the debtor’s privacy promises could violate the Federal Trade Commission Act (“FTC Act”).

On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d'orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate's Commission of Laws on June 2, 2010.

In a recently published decision rendered on June 16, 2010, the Frankfurt am Main Higher Regional Court ruled that an Internet access provider may store IP addresses for seven days, and therefore, customers have no right to demand immediate deletion of their IP addresses.  The Court’s ruling upheld a decision originally rendered by the regional court of Darmstadt.

The claimant had requested that Deutsche Telekom AG delete the dynamic IP address assigned and stored for each Internet session immediately upon disconnection by a user.  Up to that point, the Internet provider had been retaining IP addresses for 80 days after each billing cycle.  In June 2007, the lower court granted the claimant request, imposing a maximum retention period of seven days for IP addresses.  The Internet provider reduced its IP address retention period accordingly, based on an agreement with the German federal data protection authority.

Hunton & Williams is pleased to announce its 2010 rankings from Chambers and Partners and The Legal 500 United States.  The firm was ranked #1 in both surveys for its Privacy and Information Management practice.

Once again, the firm was ranked in "Band 1" for Privacy and Data Security by both the Chambers USA and Chambers Global guides.  Chambers notes, "the team is particularly praised for its international expertise, especially in matters involving the European Union, such as cross-border data transfers."  Clients note that the firm "is a major competitor, especially on data ...

On July 6, 2010, the Irish government formally objected to the adequacy procedure initiated by the European Commission that would have allowed the free flow of European personal data to Israel, over concerns of the possible use of the information by Israeli officials.  This political move follows recent revelations regarding forgery of European passports, including several from Ireland, and their alleged use by Israel’s intelligence services.

On July 7, 2010, the UK Information Commissioner’s Office published a new code of practice for the collection of personal data online.  Launching the new code at a data protection conference, UK Information Commissioner Christopher Graham said, “the benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience.  But there are risks too.  A record of our online activity can reveal our most personal interests.  Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

On July 6, 2010, Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares came into force.  As we previously reported, on April 27, 2010, the Mexican Senate unanimously approved this landmark federal data protection law governing the collection, processing and disclosure of personal data by the private sector.  Pursuant to the adoption of the new law, the Mexican Federal Institute of Access to Public Information has changed its name to the Federal Institute of Access to Information and Data Protection.

As reported by the IAPP, the Institute’s ...

Bret Taylor, the Chief Technology Officer of Facebook, announced this week on the Facebook Blog that the company will enhance privacy protections pertaining to third-party applications.  When a Facebook user logs into a third-party application with his or her Facebook account, the application will only be able to access the public parts of the user’s Facebook profile.  If the application wants to access private sections of a user’s Facebook profile, the application has to explicitly ask the Facebook user for permission.  For example, if a greeting card application wants to ...