Privacy & Information Security Law Blog

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

On March 20, 2014, Australia’s Privacy Amendment (Privacy Alerts) Bill 2014 was re-introduced in the Senate for a first read. The bill, which was subject to a second reading debate on March 27, 2014, originally was introduced on May 29, 2013, but it lapsed on November 12, 2013 at the end of the session.

On March 28, 2014, the Federal Trade Commission announced proposed settlements with Fandango and Credit Karma stemming from allegations that the companies misrepresented the security of their mobile apps and failed to secure consumers’ sensitive personal information transmitted using their mobile apps.

President Obama’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity identified “insurance liability considerations” as an incentive that might improve security. Over the course of the year since the Executive Order was issued, there has been an increase in the marketing of cyber insurance products. In an article published in Law360, Hunton & Williams Insurance Litigation & Counseling partner Lon Berk discusses how most cyber insurance policies currently available do not protect against major risks to critical infrastructure. Since the ...

Join us in New York City on May 19-20, 2014, for the Privacy, Policy & Technology Summit – A High Level Briefing for Today’s Top Privacy Executives. Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP will be a featured speaker at the session on “Cybersecurity: Insider Tips for Proactively Protecting Your Company and Its Data While Reducing Downstream Regulatory and Litigation Exposure.”

On March 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program focused on some of the recent developments in privacy, including observations from the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C., earlier this month, the National Institute of Standards and Technology final Cybersecurity Framework and the Article 29 Working Party’s recent Opinion on Binding Corporate Rules and Cross-Border Privacy Rules.

On March 18, 2014, Brazilian lawmakers announced the withdrawal of a provision in pending legislation that would have required Internet companies to store Brazilian users’ data within the country.

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced that it intends to survey up to 1,200 covered entities and business associates to determine their suitability for a more fulsome HIPAA compliance audit. In a notice published in the Federal Register, OCR stated that the survey will collect information such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations” to assess the organizations’ “size, complexity and fitness” for an audit.

On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.

On the 25th anniversary of his first proposal for what would become the World Wide Web (the “Web”), Sir Timothy John “Tim” Berners-Lee expressed concern at what he sees as the increasing threat that governments and commercial interests pose to the openness and accessibility of the Web. In a wide-ranging interview with the UK’s The Guardian newspaper, Berners-Lee criticized the approach that some lawmakers have taken on issues such as net neutrality and copyright legislation, as well as the decision by some countries to limit access to the wider Internet. He also called for an end to the control that the U.S. Department of Commerce exerts over the Internet Domain Name System.

The Federal Trade Commission recently acted on three industry proposals in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. Specifically, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism, approved a proposed “safe harbor” program and is seeking public comment on a separate proposed “safe harbor” program.

On March 13, 2014, the European Parliament voted to adopt the draft directive on measures to ensure a uniform level of network and information security (“NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013 as part of its cybersecurity strategy for the European Union. The NIS Directive aims to ensure a uniform level of cybersecurity across the EU. The European Parliament will next negotiate with the Council of the European Union to reach an agreement on the final text of the NIS Directive.

View the European Commission’s press release.

On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.

The Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) announces Markus B. Heyder, International Consumer Protection Counsel at the U.S. Federal Trade Commission, will be joining as Vice President and Senior Policy Counselor, effective March 17, 2014. In this role, Heyder will work on policy development, research and publishing activities at the Centre, and will develop and maintain relationships with policy and regulatory authorities in North America, Asia and Latin America, among other tasks. He will be resident in the firm’s Washington, D.C. office.

On March 7, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $215,000 settlement with Skagit County, Washington, following a security breach that affected approximately 1,600 individuals.

On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.

On March 6, 2014, the U.S. Federal Trade Commission (“FTC”) and UK Information Commissioner’s Office (“ICO”) signed a memorandum of understanding (“MOU”) to promote increased cooperation and information sharing between the two enforcement agencies.

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

On February 25, 2014, the UK Information Commissioner’s Office (“ICO”) published an updated code of practice on conducting privacy impact assessments (“PIAs”) (the “Code”). The updated Code takes into account the ICO’s consultation and research project on the conduct of PIAs, and reflects the increased use of PIAs in practice.