Privacy & Cybersecurity Law Blog

On June 28, 2011, the Federal Communications Commission and the Federal Trade Commission convened a public education forum entitled “Helping Consumers Harness the Potential of Location-Based Services.”  Representatives of telecommunications carriers, technology companies and consumer advocacy organizations discussed technological developments and how best to realize the benefits of location-based services without compromising privacy.

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  

On June 24, 2011, the U.S. Department of Commerce’s International Trade Administration released a PowerPoint presentation on Mexico’s new private sector data protection law that was shared at a meeting of the OECD Working Party on Information Security and Privacy by Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (“IFAI”).  The presentation provides guidance on the creation of privacy notices and establishment of self-regulatory schemes, and also outlines the responsibilities of the Ministry of Economy and the IFAI ...

Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada.  As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology.  According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.

On June 23, 2011, in a 6-3 decision, the United States Supreme Court ruled in IMS Health Inc. v. Sorrell that a Vermont law prohibiting the sale of prescriber-identifiable data to drug companies was an unconstitutional violation of the First Amendment right to free speech.  Thomas Julin, a partner at Hunton & Williams LLP, represented IMS Health in this case.  The Supreme Court’s ruling affirmed the holding of the U.S. Court of Appeals for the Second Circuit, resolving a split with the First Circuit (which upheld a similar law in New Hampshire), and likely preventing the enactment of similar restrictive laws across the country.

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

On June 20, 2011, Malaysia’s Bernama News Agency reported that the Malaysian Ministry of Information, Communication and Culture will establish a government department to facilitate the implementation of Malaysia’s new Personal Data Protection Act.  Malaysia passed the Personal Data Protection Act in 2010, but the law has yet to go into effect.  According to the report, enforcement of the Act is scheduled for early next year.

On June 14, 2011, the PCI Security Standards Council’s Virtualization Special Interest Group published its “Information Supplement: PCI DSS Virtualization Guidelines”(the “Guidelines”) to Version 2.0 of the PCI Data Security Standard (“PCI DSS”).  The Guidelines provide context for the application of the PCI DSS to cloud and other virtual environments, and offer at least three critical reminders:

• the PCI DSS applies to cloud environments without exception; 
• critical analysis of the application of the PCI DSS to rapidly evolving cloud offerings is essential to compliance; and
• cloud providers must be prepared to document and contract for necessary controls.

As reported in Hunton & Williams' Employment & Labor Perspectives blog, two unfair labor practice complaints recently issued by National Labor Relations Board regional offices in Buffalo and Chicago illustrate how closely the NLRB is scrutinizing employers’ termination decisions that are allegedly related to statements employees made on social media.  Read the full entry.

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.