Privacy & Information Security Law Blog

On September 27, 2011, OnStar announced it was reversing proposed changes to its Terms and Conditions that would have allowed the company to continue to receive data from former subscribers’ vehicles unless they specifically opted out.  OnStar’s current Privacy Statement indicates that the GM subsidiary collects information regarding its customers’ vehicle operation, location, approximate speed, collision data and safety belt usage in connection with OnStar’s in-vehicle GPS navigation and emergency response services, and that the company “may share or sell” any of this data in anonymized form with third parties.  OnStar recently notified customers by email that it would continue to collect data from former subscribers, and that it reserved the right to distribute such data to third parties.  The announcement prompted a swift and strong reaction from members of Congress skeptical of the proposed policy changes.

On September 28, 2011, a federal court in Illinois held that West Publishing Company (“West”) had not violated the Driver’s Privacy Protection Act (“DPPA”) by reselling driver’s license information obtained from state DMVs.  The court held that (1) the DPPA creates a federal private right of action permitting individuals like the plaintiffs to bring their class action suit, but (2) the lower court’s dismissal for failure to state a claim was proper.

On Tuesday, September 27, 2011, the European Privacy Officers Forum (“EPOF”) celebrated its 10th anniversary with a gala reception at the BELvue Museum in Brussels. EPOF is composed of EU-based data protection compliance officers and internal legal counsel from over 30 multinational companies and public-sector institutions who meet three times a year in Brussels to exchange ideas and to hear presentations by data protection authorities and other government representatives. The gala, which was attended by approximately 100 people, featured opening remarks from Peter Hustinx, European Data Protection Supervisor, the Honorable William E. Kennard, U.S. Ambassador to the EU, and Paul Nemitz, Director of Fundamental Rights and Citizenship of the European Commission.

On September 22, 2011, the Senate Judiciary Committee approved three separate bills that would establish a national data breach notification standard.  Because the bills were approved on a party-line vote, and several other data breach bills currently are under consideration by other Senate committees, the prospects for these three bills in the full Senate are uncertain.

On September 19, 2011, Privacy Piracy host Mari Frank interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California.  In the interview, Ms. Sotto discussed critical current privacy and data security issues, including lessons learned from the recent data breaches, the regulatory framework in the U.S. and EU, and expected legislative changes in the privacy arena globally.

Listen to the Privacy Piracy interview.

On September 21, 2011, the board of the French Data Protection Authority (the “CNIL”) elected Isabelle Falque-Pierrotin as its new Chair, following Alex Türk’s resignation which he officially tendered at the board meeting.

On September 15, 2011, the Federal Trade Commission released proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”).  These revisions follow the FTC’s review of the COPPA Rule, which resulted in numerous comments from various groups and individuals, as well as a public round table that took place on June 2, 2010.  The proposed amendments reflect the FTC’s commitment to “helping to create a safer, more secure online experience for children” in the face of rapid technological change.

On September 14, 2011, the Article 29 Working Party (the “Working Party”) met with representatives of the European Advertising Standards Alliance (“EASA”) and IAB Europe, to discuss the industry’s new self-regulatory code of conduct for online behavioral advertising (the “Code”), which was released on April 14, 2011.

On September 14, 2011, UK Information Commissioner Christopher Graham said that the private sector “isn’t as good as it thinks it is” when it comes to data protection compliance, and that many of the compliance problems that arise originate in the private sector.  While giving evidence to the House of Commons Justice Select Committee, the Commissioner criticized the private sector and, in particular, banks and other financial services companies.

On September 15, 2011, the data protection authority of the German federal state of Hamburg (the “DPA”) published a press release confirming that Google has significantly improved compliance with respect to the implementation of Google Analytics in Germany.  This finding is the result of two years of fruitful dialog between Google and the DPA, which was acting on behalf of the conference of German data protection authorities responsible for the private sector (the “Düsseldorfer Kreis”).

On September 14, 2011, Alex Türk announced that he will be resigning his position as Chairman of the French Data Protection Authority (the “CNIL”), in accordance with a recent amendment to the French Data Protection Act (Loi n° 2011-334 du 29 mars 2011 relative au Défenseur des droits).  The amendment prohibits the CNIL’s Chairman from holding any other elected office or public position.  Although this restriction does not enter into force until September 1, 2012, Mr. Türk, who also serves as a senator in the French Parliament, chose to resign prior to the upcoming French ...

On September 12, 2011, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (“ONC”) unveiled a model privacy notice for personal health records (the “PHR Model Privacy Notice”).  The PHR Model Privacy Notice was developed by ONC in collaboration with consumers and vendors of personal health records (“PHRs”).  The PHR Model Privacy Notice is intended to enable consumers to “understand privacy and security policies and data sharing practice information, compare PHR company practices, and make informed decisions.”

On September 8, 2011, Richard Allan, Facebook’s Director of European Public Policy, met with the German Federal Ministry of the Interior (the “Ministry”) and endorsed the Ministry’s initiative for a future self-regulatory code for social networks with a focus on data security, consumer protection and the protection of minors.

On September 12, 2011, the Commissioner for Data Protection and Freedom of Information of the German federal state of North Rhine-Westphalia (“DPA”) imposed a fine of €60,000 on Easycash GmbH (“Easycash”), a leading German service provider for electronic payments.

Mexico’s Federal Institute for Access to Information and Data Protection ( “IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City on November 2-3, 2011.  This year’s conference, entitled “Privacy: The Global Age,” will focus on the challenges associated with managing and protecting personal data in an era characterized by the constant, instantaneous transfer of information across the globe.  IFAI President Jacqueline Peschard discussed the conference in further detail in an interview with Marty Abrams ...

Following the U.S. Supreme Court’s ruling in Sorrell v. IMS Health, Thomas Julin, partner at Hunton & Williams LLP who represented IMS Health in the case, closely studied the Court’s decision to assess its implications, including with respect to other forthcoming legislation.  In an interview with Marty Abrams, President of the Centre for Information Policy Leadership, during the Centre’s First Friday Call on September 9, 2011, Julin discussed the close parallels between the law invalidated in Sorrell v. IMS Health and proposed federal regulation of behavioral ...

Over the past several weeks, online tracking practices involving the use of Flash cookies and ETags have been the subject of new research studies, class action lawsuits and significant media attention.

On September 6, 2011, Lisa J. Sotto, partner and head of Hunton & Williams’ Privacy and Data Security practice, discussed why companies and individuals should be concerned about protecting their personal information in an interview with FoxNews.com.

View the video of Lisa’s interview with Kimberly Guilfoyle.

On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information.  Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.

As reported in the Hunton Employment & Labor Perspectives Blog, on August 18, 2011, the National Labor Relations Board’s Acting General Counsel issued a report discussing fourteen social media cases recently decided by the Board.  The cases highlighted in the report offer insight regarding how the NLRB will handle various social media issues in the future.

Read the full post, which provides an overview of several of the cases highlighted in the NLRB’s report.

On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute.  The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians.  Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002.  The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.