Privacy & Information Security Law Blog

Connecticut’s newly-elected Attorney General George Jepsen recently announced an agreement with Google, Inc. concerning the company’s refusal to comply with a Civil Investigative Demand brought by his predecessor, freshman Senator Richard Blumenthal (D-CT).  According to a January 28, 2011 press release, to facilitate settlement discussions with the Connecticut-led, 40-state coalition, Google will stipulate that “payload data” compiled in 2008 and 2009 “contained URLs of requested Web pages, partial or complete e-mail communications or other information, including confidential and private information” transmitted by individuals across unsecured wireless networks.

On January 28, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments with the United States Department of Commerce in which the Centre stressed privacy governance based on data stewardship by accountable organizations.  The Centre was one of a number of organizations that submitted comments in response to the Department of Commerce’s privacy paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” which was released in December 2010.  The theme of today’s comments is similar to that which the Centre suggested earlier this month in its comments responding to the European Commission’s consultation paper.

In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.

Virginia SB 1041

On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person.  The law currently applies only to organizations, corporations and agencies supported by public funds.  In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.

Update: On February 11, 2011, BNA's Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.

On January 24, 2011, the data protection authority of the German state of Rhineland-Palatinate issued a press release regarding significant breaches of data protection law by companies that maintain websites and create user profiles.

While much of the attention of the privacy policy community in Washington, D.C. has been focused on the two reports issued in December 2010 by the Federal Trade Commission and the Department of Commerce, a third government report has received far less press attention, but may have a greater impact on U.S. business and consumers.  The work of the President’s Council of Advisors on Science and Technology (“PCAST”) and its Health Information Technology Working Group, the report, “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” was released by the White House on December 8, 2010.

On January 19, 2011, the United States Supreme Court issued a unanimous ruling in National Aeronautics and Space Administration v. Nelson, finding that questions contained in background checks NASA conducted on independent contractors are reasonable, employment-related inquiries that further the government’s interests in managing its internal operations.  Stating that “[t]he challenged portions of the forms consist of reasonable inquiries in an employment background check,” the Court reversed a Ninth Circuit decision that the questions NASA asked of the contractors invaded their privacy.

On January 17, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released a response to the European Commission’s consultation paper, “A comprehensive approach on personal data protection in the European Union.”  In its response, prepared by Richard Thomas, former UK Information Commissioner and Global Strategy Advisor of the Centre, the Centre calls for a modernized European framework for data protection that addresses the realities of the digital age.

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly.  If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL.  The amendments are summarized below.

On January 12, 2011, Adobe Systems Incorporated (“Adobe”) announced in its Adobe Flash Platform Blog that it is working with browser vendors to integrate control features into browser user interfaces that will allow users to more easily control local shared objects (“LSOs”) on their computers.  Local shared objects, often referred to as Flash cookies, store information about online activity, including things like browsing history, login details and preferences.  In August 2010, we reported on several lawsuits that had been filed against online advertising networks for, among other things, using Flash cookies to re-create deleted browser cookies.

Earlier this month, the Belgian Privacy Commission (the “Belgian DPA”) published its December 15, 2010 Recommendation on Mobile Mapping (Recommandation d’initiative en matière de Mobile Mapping, or “the Recommendation”).  The Recommendation defines Mobile Mapping as “technology by which a vehicle equipped with a camera and/or a scanner can digitally record all data on a specific road, including by taking 360° photos.”  The scope of the Recommendation covers not only applications such as Google Street View, but also other types of Mobile Mapping such as mapping by public authorities, mapping for tourism, real estate applications and GPS navigation mapping.

On January 11, 2011, Michelle O’Neill, U.S. Department of Commerce Deputy Under Secretary for International Trade, held a briefing on her November 2010 meetings in Brussels with European data protection authorities.  She discussed a data protection and privacy forum that was convened in November at which she met with several high-level European regulators, including Jacob Kohnstamm, Viviane Reding and Peter Hustinx.  O’Neill mentioned “the right to be forgotten” as a current hot-button issue in Europe.  Commissioner Reding, who is firmly in charge of the reconsideration of the EU Data Protection Directive, focused on ensuring easier compliance with EU data protection rules and greater harmonization among Member States.  O’Neill stated that Peter Hustinx was encouraged by the work ongoing in the United States, including the “Green Paper” issued by the Department of Commerce.  He considers the various U.S. efforts a basis for further dialogue with U.S. authorities.  O’Neill noted that comments to the EU consultation are due January 15, 2011.  The Department of Commerce intends to file a response.

In late December 2010, consumers filed two class action lawsuits against Apple Inc., claiming that several applications they downloaded from Apple’s App Store sent their personal information to third parties without their consent.  Specifically, the consumers claim that Apple allowed third party advertising networks to follow user activity through the Unique Device Identifiers that Apple assigns each device that downloads applications.  The complaint, filed in the U.S. District Court for the Northern District of California, also named several application developers such as Pandora and The Weather Channel as co-defendants.

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.