Privacy & Information Security Law Blog

On February 23, 2015, the Wyoming Senate approved a bill (S.F.36) that adds several data elements to the definition of “personal identifying information” in the state’s data breach notification statute. The amended definition will expand Wyoming’s breach notification law to cover certain online account access credentials, unique biometric data, health insurance information, medical information, birth and marriage certificates, certain shared secrets or security tokens used for authentication purposes, and individual taxpayer identification numbers. The Wyoming Senate also agreed with amendments proposed by the Wyoming House of Representatives to another bill (S.F.35) that adds content requirements to the notice that breached entities must send to affected Wyoming residents. Both bills are now headed to the Wyoming Governor Matt Mead for signing.

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

On February 15, 2015, the White House released a Presidential Memorandum entitled “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems” (the “Memorandum”) to address the privacy, civil rights and civil liberties concerns associated with the federal government’s use of Unmanned Aircraft Systems (“UAS”). The Memorandum provides privacy expectations for the federal government’s use of UAS by setting requirements for federal agencies to establish and maintain privacy and civil liberty safeguards, as well as by placing restrictions on certain information collection and use practices.

On February 12, 2015, the Office of the Privacy Commissioner of Canada released a research report entitled Privacy and Cyber Security - Emphasizing privacy protection in cyber security activities (the “Report”). The Report explores the interconnected relationship among cybersecurity, privacy and data protection, including common interests and challenges.

On February 13, 2015, at the White House’s Cybersecurity and Consumer Protection Summit at Stanford University, President Obama signed an executive order promoting private sector cybersecurity information sharing (“Executive Order”). Building on the current cybersecurity information sharing efforts of Information Sharing and Analysis Centers and groups such as the National Cyber-Forensics and Training Alliance, the new Executive Order emphasizes the need for private companies, non-profit organizations and government agencies to share information about cyber threats, vulnerabilities and incidents. Its purpose is to facilitate private-private and public-private cybersecurity information sharing while (1) protecting the privacy and civil liberties of individuals; (2) protecting business confidentiality; (3) safeguarding shared information; and (4) protecting the government’s ability to detect, investigate, prevent and respond to cyber threats.

On February 5, 2015, the Federal Trade Commission sent a letter to the Consumer Financial Protection Bureau (“CFPB”) summarizing the agency’s efforts in the debt collection arena in 2014. The letter is intended to assist the CFPB with preparing its annual report to Congress on the enforcement of the Fair Debt Collection Practices Act, which must be submitted pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act. The FTC’s debt collection program involves three initiatives: (1) law enforcement, (2) education and public outreach, and (3) research and policy.

On February 5, 2015, the Article 29 Working Party (the “Working Party”) published a letter that responds to a request of the European Commission to clarify the scope of the definition of health data in connection with lifestyle and wellbeing apps. In the annex to this letter, the Working Party identifies criteria to determine when personal data qualifies as “health data,” a special category of data receiving enhanced protection under the EU Data Protection Directive 95/46/EC (the “Directive”). The Working Party further discusses the current legal regime for the processing of such health data and provides its view on the requirements for further processing of health data for historical, statistical and scientific research under the Directive. The letter also includes the Working Party’s recommendations for the regime that should be provided in the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On January 28, 2015, the Brazilian government issued the Preliminary Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) on a website specifically created for public debate on the draft bill. The text of the bill (in Portuguese) is available on the website. (http://participacao.mj.gov.br/)

On February 4, 2015, the German government adopted a draft law to improve the enforcement of data protection provisions that are focused on consumer protection. As reported earlier, the new law would bring about a fundamental change in how German data protection law is enforced.

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released a Risk Alert, entitled Cybersecurity Examination Sweep Summary, summarizing observations from the recent round of cybersecurity examinations of registered broker-dealers and investment advisers under the Cybersecurity Examination Initiative. Conducted by the SEC Office of Compliance Inspections and Examinations (“OCIE”) from 2013 through April 2014, the examinations inspected the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers through interviews and document reviews. The examinations evaluated the institutions’ practices in key areas such as risk management, cybersecurity governance, network security, information protection, vendor management and incident detection.

On February 12, 2015, the International Association of Privacy Professionals (“IAPP”) will host a web conference on The Role of Risk Management in Data Protection – From Theory to Practice. Panelists will include Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”), Fred Cate, Senior Policy Advisor of CIPL, and Hilary Wandall, Associate Vice President, Compliance and Chief Privacy Officer of Merck & Co., Inc. Together, they will lead an online discussion on some of the key considerations in risk assessment and management.

From January 30 to February 3, 2015, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Subic Bay, Philippines, for another round of negotiations and meetings. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was implementing the APEC Cross-Border Privacy Rules (“CBPR”) system, developing a corollary APEC recognition mechanism for information processors, related work relevant to cross-border interoperability, and updating the APEC Privacy Framework. The following is a summary of highlights and outcomes from the meetings.

On January 20, 2015, a group of public officials and industry representatives met in a public discussion panel in Brussels to debate the progress of the proposed EU General Data Protection Regulation (the “ Proposed Regulation”) and the major themes that are yet to be resolved. The panelist included Paul Nemitz, Director for the Fundamental Rights and Union Citizenship of the European Commission, Jan Philipp Albrecht, MEP and Vice Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and Pat Walshe, Director of Privacy and Public Policy of Groupe Speciale Mobile Association.