Privacy & Information Security Law Blog

On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. The statement was issued by the authorities of Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the UK. The joint statement reminds organizations that personal data that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions, and highlights the risks facing such data, including increased risk of social engineering or phishing attacks, identify fraud, and unwanted direct marketing or spam.

On January 16, 2020, the Senate approved the United States-Mexico-Canada Agreement (“USMCA”), sending it to the President’s desk for ratification. Mexico ratified the Agreement in June 2019, and Canada is expected to follow suit later this month. To coincide with its ratification, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a white paper entitled What Does the USMCA Mean for a U.S. Federal Privacy Law?

On April 8, 2015, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected account-related data, affecting almost 280,000 U.S. customers.

On August 6-10, 2014, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Beijing, China, for another round of negotiations, meetings and workshops. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was again on the further implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system and related work relevant to cross-border interoperability. The following is a summary of highlights and outcomes from the meetings:

On April 30, 2014, the Asia-Pacific Economic Cooperation (“APEC”) released the Findings Report of the Joint Oversight Panel of the APEC Cross-Border Privacy Rules (“CPBR”) system, confirming that Japan has met the conditions for participation in the CBPRs. Accordingly, Japan has now joined the U.S. and Mexico as a participant in the APEC CBPRs. Canada recently expressed its intent to join the system soon, and other APEC economies are in the process determining how and when they may join.

As reported by Bloomberg BNA, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) recently issued data security guidelines that implement the security provisions of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

On March 8, 2013, a U.S. federal appeals court issued a decision in the case United States v. Cotterman, holding that the federal government must have “reasonable suspicion” of criminal activity to conduct a forensic search of laptops and similar devices in the possession of individuals attempting to cross the border. The case arose after Howard Cotterman attempted to enter the United States by car at a checkpoint on the Mexican border. When border agents determined that he had a criminal record related to sexual misconduct, they seized his laptop and attempted to search it. They initially discovered some password-protected files but no proof of illegal activity and allowed him to enter the country but did not return his laptop. The agents then subjected the computer to a forensic analysis and discovered it contained child pornography in portions of the hard drive that had been deleted or protected with passwords. The federal district court ordered suppression of this evidence in the criminal case against Cotterman on the ground that the agents’ forensic analysis of his computer violated the Fourth Amendment’s prohibition on warrantless searches.

On January 17, 2013, Mexico’s Ministry of Economy published its Lineamientos del Aviso de Privacidad (in Spanish) (“Privacy Notice Guidelines” or “Guidelines”), which it prepared in collaboration with the Mexican data protection authority. The Guidelines introduce heightened notice and opt-out requirements for the use of cookies, web beacons and similar technology, and they impose extensive requirements on the content and delivery of privacy notices generally (with respect to all personal data, not just data collected via cookies and other automated means). The Guidelines will take effect in mid-April.

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

On May 26, 2012, the United States government submitted its request to participate in the APEC Cross-Border Privacy Rules (“CBPRs”) system. The CBPRs system was endorsed by APEC leaders in November 2011. The protocol requires a participating economy to submit:

• A letter of intent to participate;
• Confirmation that a privacy enforcement agency in the economy is a participant in the Cross-Border Privacy Enforcement Arrangement;
• Notice that the economy intends to make use of at least one APEC-recognized accountability agency; and
• A description of the domestic laws and other legal mechanisms to give effect to the enforcement activities related to the activities of the accountability agent, which also must include an enforcement map.

• Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.

On December 21, 2011, Mexico issued the final version of its Regulations of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares). The regulations, which contain mostly minor changes to the prior draft that was released in October, will take effect on December 22, 2011. Notable updates in this final draft include:

• clarification of notice and consent requirements;
• changes to restrictions on cloud computing;
• updates to requirements regarding data transfers; and

On November 2, 2011, following welcome comments by Federal Institute for Access to Information and Data Protection (“IFAI”) Commissioner Jacqueline Peschard, the 33rd International Conference of Data Protection and Privacy Commissioners opened in Mexico City with an examination of the phenomenon of “Big Data” as a definer of a new economic era. In a wide-ranging presentation, Kenneth Neil Cukier of the Economist drew into clear relief the possibilities and problems associated with combining vast stores of data and powerful analytics. He highlighted the growing ability to correlate seemingly unrelated data sets to predict behavior, reveal trends, enhance product performance and safety and derive meaning. In his remarks Cukier noted that, in an era of Big Data, much of the decision-making about data collection and use goes beyond traditional notions of privacy, touching on ethics and free will. Noting that the printing press led to the development of free speech laws, he left open the question of how Big Data may change the legal landscape.

On November 1, 2011, the Centre for Information Policy Leadership released a discussion document entitled “Implementing Accountability in the Marketplace,” at the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. The document reflects the collaborative effort of experts from Canada, Europe and the United States, and provides a comprehensive summary of the third year of the Centre’s work with the Accountability Project. It examines the requirements and benefits of accountability when it is applied across the marketplace, and ...

On November 2-3, 2011, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, is the chairman of the Conference’s advisory panel and principal advisor to Conference organizers on program content. Hunton & Williams is a proud sponsor of the event which will feature Hunton representatives as speakers or moderators on multiple panels and plenary sessions, including the following:

On October 20, 2011, Mexico’s Ministry of Economy made public an update to its proposed Regulations to the Federal Law for the Protection of Personal Data Held by Private Parties. The new draft regulations, which contain changes made in light of public comments on the prior version, will take effect if they receive final executive approval, which may happen later this year. The updates to the draft regulations include:

• Rules specific to cloud computing
• Clarification of notice requirements
• Clarification of consent requirements
• Exemptions for certain business contact ...

Mexico’s Federal Institute for Access to Information and Data Protection ( “IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City on November 2-3, 2011.  This year’s conference, entitled “Privacy: The Global Age,” will focus on the challenges associated with managing and protecting personal data in an era characterized by the constant, instantaneous transfer of information across the globe.  IFAI President Jacqueline Peschard discussed the conference in further detail in an interview with Marty Abrams ...

The Department of Commerce released an English translation of Peru’s Law for Personal Data Protection (Ley de Protección de Datos Personales, Ley No. 29733).  The law passed Peru’s Congress on June 7, 2011, and was signed by the president July 2, 2011.  Peru’s adoption of this new law is in keeping with a recent trend in Latin America, where Uruguay, Mexico and Colombia also have passed privacy legislation.

As we previously reported, the Mexican government has developed draft regulations for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares). The U.S. Department of Commerce recently circulated an English translation of the draft regulations. Public comments on the draft are due on August 3, 2011, and Mexican officials have indicated they will not grant extensions for late submissions. A final version of the regulations is ...

On July 6, 2011, Mexico’s Secretary of Economy, in conjunction with the Federal Institute for Access to Information and Data Protection (“IFAI”), released wide-ranging privacy regulations for public comment.  The regulations establish rules and guidelines for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), which became effective one year ago.  Among the topics covered are jurisdictional issues, details regarding ...

Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (the “IFAI”) will issue the first set of regulations implementing Mexico's new private sector data protection law the week of April 11, 2011.  These first regulations will cover the legal requirements to provide privacy notices to consumers and to appoint a designated privacy official, which go into effect in July 2011.  The two agencies want to ensure that the private sector has adequate time to prepare appropriate privacy notices prior to the July effective date.  The balance of the law, granting individual participation rights to consumers, becomes effective in January 2012.

Following its recent enactment of an omnibus data protection law, Mexico has been unanimously elected to lead the Ibero-American Data Protection Network, a consortium of the governments of Spain, Portugal, Andorra and 19 Latin American countries.  The group’s mission is to foster, maintain and strengthen an exchange of information, experience and knowledge among Ibero-American countries through dialogue and collaboration on issues related to personal data protection.  The IFAI announced on September 29, 2010, that Jacqueline Peschard, head of Mexico’s Federal ...

On July 6, 2010, Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares came into force.  As we previously reported, on April 27, 2010, the Mexican Senate unanimously approved this landmark federal data protection law governing the collection, processing and disclosure of personal data by the private sector.  Pursuant to the adoption of the new law, the Mexican Federal Institute of Access to Public Information has changed its name to the Federal Institute of Access to Information and Data Protection.

As reported by the IAPP, the Institute’s ...

The Mexican Senate has unanimously approved a landmark data protection law governing information use in the private sector, la Ley Federal de Protección de Datos Personales en posesión de los particulares.  We provided information on the bill last week when the Chamber of Deputies voted to approve it.  The legislation has been forwarded to the president for signature.  We will provide further details as this story develops.

According to Mr. M. Jorge Yanez V., a partner at the law firm of Barrera, Siqueiros y Torres Landa, S.C. in Mexico City, on April 13, 2010, the Mexican Chamber of Deputies passed a bill that, when ratified by the Senate, will become the country’s new Federal Law of Protection of Personal Information.  The Senate is expected to pass the bill shortly and without revisions.  When the bill is enacted into law, Mexico’s Federal Institute of Access to Information, the agency that currently oversees the disclosure of and access to government information, will be renamed the Federal ...

On February 4, 2009 the Trilateral Committee on Transborder Data Flows met in Mexico City.  The committee is comprised of representatives from the Canadian, Mexican and U.S. governments and is part of the Security and Prosperity Partnership of North America.  The Trilateral Committee invited representatives from the private sector to give testimony on current and potential impediments to the free flow of personal data in North America.