Privacy & Information Security Law Blog

As reported in the Hunton Employment & Labor Perspectives Blog, Connecticut recently became the latest state to pass a law regulating employer use of credit reports. The law, which goes into effect on October 1, 2011, prohibits employers from requiring employees or prospective employees to consent to the employer requesting their credit report as a condition of employment.  The full post includes a discussion of the exceptions to this restriction.

Read our previous posts on regulatory scrutiny of employee credit checks and a similar Illinois law that went into effect on January 1 ...

Read the Dallas Business Journal's DBJ Confidential blog post discussing Hunton & Williams partner Lisa J. Sotto's thoughts on how companies should approach privacy issues in the United States. Sotto was interviewed while in Dallas giving a privacy law presentation for in-house counsel.

As we previously reported, the Mexican government has developed draft regulations for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares). The U.S. Department of Commerce recently circulated an English translation of the draft regulations. Public comments on the draft are due on August 3, 2011, and Mexican officials have indicated they will not grant extensions for late submissions. A final version of the regulations is ...

As reported in BNA’s Privacy Law Watch, on July 25, 2011, Russian President Dmitry Medvedev signed a new federal law amending Russia’s personal data privacy law, “On Personal Data.” The amended law, which was made public on July 27 and is effective retroactively from July 1, 2011, imposes new rules on international data transfers. As we previously reported, and as noted by the BNA, Russia had been considering improving its data protection regime and has enacted two other laws regarding the protection of personal data in the past several weeks.

On July 25, 2011, Netflix stated that it will hold off on the launch of its Facebook integration in the U.S. due to legal issues related to the Video Privacy Protection Act (“VPPA”).  The new Facebook feature would allow Netflix subscribers to share their movie viewing information with friends online.  Netflix indicated in its second quarter shareholder letter that it supports House Bill 2471 (“H.B. 2471”), a proposed bipartisan amendment to the VPPA intended to clarify the consent requirement for sharing consumer video viewing information.  The letter states that “[u]nder the VPPA, it is ambiguous when and how a user can give permission for his or her video viewing data to be shared” and that the VPPA “discourages us from launching our Facebook integration domestically.”  As a result, the company plans to limit the campaign to Canada and Latin America until questions concerning the VPPA are resolved.

As reported in the Hunton Employment & Labor Perspectives Blog:

The EEOC recently released an informal discussion letter suggesting that employers may be obligated to do more than just maintain a separate file for employee medical records, especially when those records are in an electronic format. Both the Americans with Disabilities Act of 1990 (“ADA”), as amended, and the Genetic Information Non-Discrimination Act of 2008 (“GINA”) require employers to maintain a confidential medical record, which is separate from the employee’s other personnel file(s), for information about the employee’s medical conditions, medical history or “genetic information.” The statutes do not, however, specify how such records are to be maintained or what level of security must be in place to protect the confidentiality of medical or genetic information.

As reported in BNA’s Privacy Law Watch, on July 19, 2011, President Obama announced his intention to nominate Maureen K. Ohlhausen to the Federal Trade Commission. Obama sent his official nomination to the Senate on July 21, 2011. If approved, Ohlhausen will serve a seven-year term beginning on September 26, 2011, replacing Commissioner William E. Kovacic.

A putative class action complaint filed on June 22, 2011, in the United States District Court for the Northern District of California alleges that the popular cloud-based storage provider Dropbox, Inc. failed to secure users’ private data or to notify the vast majority of them about a data breach.  According to the complaint, Dropbox announced in a blog post on its website that it had “introduced a bug” on June 19, 2011, which allowed users logged in to its system to log into other users’ accounts and access those users’ data stored on Dropbox.  The complaint further claims that Dropbox did not notify most, if not all, of its 25 million users that their information had been compromised.  The complaint defines the plaintiff class as all current or former Dropbox users as of June 19, 2011, whose accounts were breached.

The Hong Kong Privacy Commissioner has issued a document soliciting comments regarding a proposal to require a wide range of data users to submit information about their activities to the Office of the Privacy Commissioner for Personal Data.  The proposal would be carried out pursuant to the Hong Kong Privacy Ordinance, which authorizes the Privacy Commissioner to require certain data users to submit data user returns.  Under the Ordinance, a “data user return” is a form certain data users must submit to the Privacy Commissioner for purposes of maintaining a data user registration database.  A “data user” is defined as “a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of [personal] data” (emphasis added).

On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework.  The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent.  In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

On July 12, 2011, Stanford Law School’s Center for Internet and Society reported the preliminary results of tests conducted with experimental software designed to detect third-party tracking.  Over the months spent developing “a platform for measuring dynamic web content,” researchers at the Stanford Security Lab analyzed tracking on the websites of Network Advertising Initiative (“NAI”) participants by observing how cookies are altered when a user opts out of behavioral tracking on the NAI website, or enables Do Not Track.

In April 2011, a technical malfunction suffered by the Amazon Elastic Compute Cloud resulted in a multi-day outage affecting hundreds of businesses.  The incident offered high-profile evidence of both the widespread popularity of cloud computing and the potential consequences of storing company data in the cloud.  It also drew attention to cloud service contracts, raising questions about performance levels and backups in the event of a service disruption.  With more and more businesses seeking to take advantage of the efficiency and cost savings offered by cloud computing, the ...

Adam Kardash from Heenan Blaikie LLP in Canada reports that Industry Canada and the Canadian Radio-television and Telecommunications Commission (“CRTC”) have released draft regulations for Canada’s Anti-Spam Legislation (“CASL”).  CASL imposes a consent-based anti-spam regime that restricts organizations’ ability to send commercial electronic messages.  Industry Canada and the CRTC are charged with the task of implementing regulations under CASL.

Last month, Texas Governor Rick Perry signed a health privacy bill into law that imposes new obligations exceeding the requirements in the HIPAA Privacy Rule.  The law, which will become effective on September 1, 2012, incorporates the expanded definition of the term “covered entity” in Texas’s existing health privacy law and could have a broad impact on many non-HIPAA covered entities.

On June 7, 2011, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $865,500 settlement with the University of California at Los Angeles Health System (“UCLA Health System”) for violations of the HIPAA Privacy and Security Rules.  UCLA Health System employees were accused of violating the Privacy Rule by improperly accessing the protected health information (“PHI”) of patients, including several high-profile celebrities who filed complaints with HHS.  A subsequent investigation by HHS’s Office for Civil Rights (“OCR”) revealed that in addition to neglecting to sanction the employees who had improperly accessed patient PHI, UCLA Health System had failed to train its employees on the HIPAA Privacy and Security Rules or implement security measures to “reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.”

On June 16, 2011, the German Federal Ministry of the Interior officially opened a National Cyber Defense Center as part of the comprehensive cybersecurity strategy that was adopted by the German federal government on February 23, 2011.  The Cyber Defense Center is intended to serve as a common platform for rapid information exchange and better coordination of protective and defensive measures against information technology security incidents.

On July 6, 2011, Mexico’s Secretary of Economy, in conjunction with the Federal Institute for Access to Information and Data Protection (“IFAI”), released wide-ranging privacy regulations for public comment.  The regulations establish rules and guidelines for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), which became effective one year ago.  Among the topics covered are jurisdictional issues, details regarding ...

On July 6, 2011, the UK Information Commissioner’s Office (the “ICO”) released its Annual Report and Financial Statements for 2010/11.  Characterizing information as “the currency of democracy,” the report highlights the wide range of the ICO’s activities during the last twelve months, which focused on education and the provision of good practice guidance in addition to enforcement activities.

On July 1, 2011, the French Data Protection Authority (the “CNIL”) released a comprehensive handbook for health professionals (the “Guidance”).  The Guidance reiterates that health professionals (e.g., doctors, nurses, hospitals, research laboratories) have an obligation to comply with the French Data Protection Act when collecting and processing health data on patients.

As reported in BNA’s Privacy Law Watch, on July 2, 2011, Peruvian President Alan García signed the Personal Data Protection Law (Ley de Protección de Datos Personales, Ley No. 29733), making Peru the latest Latin American country to adopt EU-style omnibus privacy legislation.  Implementing rules for the new law are to be drafted in the next few months.

On June 27, 2011, the Federal Trade Commission announced that it had reached a settlement with Teletrack, Inc. (“Teletrack”), a consumer reporting agency that sells consumer reports and other services to businesses that serve financially distressed consumers, after alleging that the company had sold information obtained through its consumer reporting business to marketers to create a marketing database. The FTC considered that the information sold by Teletrack, which included lists of consumers who applied for certain credit products, constituted “consumer ...