Privacy & Information Security Law Blog

On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:

On November 15, 2013, the U.S. Government Accountability Office (“GAO”) released a report (the “Report”) finding that the current federal statutory privacy scheme contains “gaps” and “does not fully reflect” the Fair Information Practice Principles (“FIPPs”). The Report focused primarily on companies that gather and resell consumer personal information, and on the use of consumer personal information for marketing purposes.

Brazilian lawmakers, including José Eduardo Cardozo, the Minister of Justice of Brazil, and Ideli Salvatti, the Secretariat of Institutional Relations, held several consensus-building meetings with party leaders over the past two weeks to reach a voting agreement on the Marco Civil da Internet (“Marco Civil”), a draft bill introduced in the Brazilian Congress in 2011. The Marco Civil would establish Brazil’s first set of Internet regulations, including requirements regarding personal data protection and net neutrality.

As reported by Bloomberg BNA, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) recently issued data security guidelines that implement the security provisions of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

On November 15, 2013, the Supreme Court of Canada declared the Alberta Personal Information Protection Act (“PIPA”) invalid because the legislation interfered with the right to freedom of expression in the labor context under Section 2(b) of the Canadian Charter of Rights and Freedoms (the “Canadian Charter”). The case arose in the context of a labor union representing employees of a casino in Alberta. During a lawful strike, the union recorded and photographed individuals crossing the union’s picket line near the main entrance of the casino. The union had posted a sign that the images of persons crossing the picket line might be placed on a website. A number of individuals who were recorded crossing the picket line filed complaints under PIPA with the Alberta Information and Privacy Commissioner, who appointed an adjudicator to determine whether the union had contravened PIPA by collecting and disclosing personal information about individuals without their consent. Under PIPA, organizations cannot collect, use or disclose personal information without the individual’s consent, unless an exception applies.

On November 12, 2013, two companies (the “Defendants”) that provide consumer background reports to third parties, including criminal record checks agreed to an $18.6 million settlement stemming from allegations that they violated the Fair Credit Reporting Act (“FCRA”) when providing these reports to prospective employers.

On November 4, 2013, the China Insurance Regulatory Commission, which is the Chinese regulatory and administrative authority for the insurance sector, issued the Interim Measures for the Management of the Authenticity of Information of Life Insurance Customers (the “Measures”). The Measures require life insurance companies and their agents to ensure the authenticity of personal data of life insurance policy holders. To help achieve this objective, the Measures impose rules for the collection, recording, management and use of the personal data of policy holders.

On November 19, 2013, the Federal Trade Commission held a workshop in Washington, D.C. to discuss The Internet of Things: Privacy & Security in a Connected World. FTC Chair Edith Ramirez and FTC Senior Attorney Karen Jagielski provided the opening remarks. Chairwoman Ramirez raised three key issues for workshop participants to consider:

On November 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the second webcast in its Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation (“Proposed Regulation”), including a discussion of the European Parliament’s recent approval of its Compromise Text for the Proposed Regulation.

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On November 14, 2013, the Minister of the Malaysian Communications and Multimedia Commission (the “Minister”) announced that Malaysia’s Personal Data Protection Act 2010 (the “Act”) would be going into effect as of November 15, marking the end of years of postponements. The following features of the law are of particular significance:

On November 13, 2013, the Federal Trade Commission announced that it denied a proposal submitted by AssertID, Inc. for a mechanism to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

On November 4, 2013, the data protection authority (“DPA”) of the German state of Rhineland-Palatinate announced two sets of recommendations for mobile payment systems, including contactless payments. The recommendations were prepared in conjunction with the state consumer protection agency, the Ministry of Justice for Rhineland-Palatinate, the mobile payment industry and research organizations.

On November 13, 2013, Google entered into a $17 million settlement agreement with the attorneys general from 37 states and the District of Columbia related to allegations that the company bypassed users’ cookie-blocking settings on Apple’s Safari browser in 2011 and 2012. The settlement requires Google to refrain from bypassing cookie controls in the future and requires Google to maintain a page on its site informing users about cookies and how to manage them. Last year, Google agreed to a $22.5 million settlement with the Federal Trade Commission in connection with similar ...

As reported in the Hunton Employment & Labor Perspectives Blog:

In a lawsuit filed in the United States District Court for the Northern District of Texas on November 4, 2013, Texas Attorney General Greg Abbott sought injunctive and declaratory relief against the Equal Employment Opportunity Commission (“EEOC”) on the grounds that the agency’s April 2012 Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions “purports to preempt the State’s sovereign power to enact and abide by state-law hiring practices.” In particular, the complaint argues against the EEOC’s prohibition against blanket “no felons” hiring policies. The Texas AG’s complaint highlights key failures and shortcomings of the EEOC’s recent investigative actions, and provides detailed examples of the “real world” effect of the guidance on the state’s hiring decisions.

On October 27, 2013, the South Korean Ministry of Security and Public Administration indicated that the government will issue certifications to private and public organizations that meet certain requirements of the Personal Information Protection Act. According to The Korea Times, organizations will be able to apply for the certification with the National Information Society Agency (“NISA”) beginning on November 28, 2013. The number of requirements that an organization will be assessed against will depend on the size of the organization. The Korea Times reports ...

As we reported on October 8, 2013, the Information Commissioner’s Office (“ICO”) has announced it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. In anticipation of the November 30^th closing date for comments on the Code, today the ICO’s Head of Policy Delivery posted a request for feedback on the ICO’s blog.

On November 26, 2013, Kazakhstan’s new data privacy law, On Personal Data and Their Protection, will come into effect. The law was passed on May 21, 2013. Kazakhstan is the second country in Central Asia to enact a data privacy law, joining the Kyrgyz Republic, which passed the Law on Personal Data in 2008.

On November 2, 2013, Hunton & Williams partner Paul M. Tiao was featured on the Voice of America discussing the importance of the National Security Agency restoring trust among industry and foreign government allies. In the feature, “Next NSA Chief to Face Challenges, Change,” Tiao talked about some of the difficulties that will confront the NSA Director’s successor, and why government surveillance is likely to continue.