On November 19, 2016, the French government enacted a bill creating a legal basis for class actions against data controllers and processors resulting from data protection violations. The bill, which aims to facilitate access to justice for French citizens, establishes a general class action regime and includes specific provisions regarding data protection violations. These provisions go beyond the class action provisions already in place for consumers by adding, within the context of the French Data Protection Act of 1978 (“Loi Informatique et Libertés”), a right to class actions for data protection violations regardless of industry sector.
On November 22, 2016, the Department of Health and Human Services (“HHS”) announced a $650,000 settlement with University of Massachusetts Amherst (“UMass”), resulting from alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules.
On November 21, 2016, against the backdrop of the EU General Data Protection Regulation (“GDPR”) and Brexit, UK Information Commissioner Elizabeth Denham delivered a keynote speech at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers. During the address, Denham discussed the UK ICO’s ongoing preparations for the GDPR, reiterating the government’s position that the GDPR will be implemented in the UK.
On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act (the “Act”) on account of its alleged failure to identify a representative within the country responsible for compliance with the Act, despite the processing of personal data of Dutch WhatsApp users on Dutch smartphones. WhatsApp reportedly faces a fine of €10,000 per day up to a maximum of €1 million ...
Recently, German Chancellor Angela Merkel spoke at Germany’s 10th National IT Summit, and called for EU Member States to take a pragmatic approach to the application of EU data protection laws. Chancellor Merkel warned that a restrictive interpretation of data protection laws risks undermining the development of big data projects in the EU. Ahead of the introduction of the General Data Protection Regulation throughout the EU in May 2018, Merkel argued that, more than simply preventing the excesses of personal data use, data protection law should serve to enable emerging data ...
On November 17, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the role of the Data Protection Officer (“DPO”).
On November 20, 2016, the heads of state of the 21 member economies of the Asia-Pacific Economic Cooperation (“APEC”) forum reaffirmed the APEC Cross-Border Privacy Rules (“CBPR”) system in their Leaders’ Declaration at the APEC Leaders’ Meeting in Lima, Peru as follows: “We recall the APEC Leaders 2011 Honolulu Declaration and recognize the importance of implementing the APEC Cross-Border Privacy Rules System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR system.” The fact that the CBPR system is mentioned in the Leaders’ Declaration reflects its priority status on the APEC agenda.
On November 18, 2016, the Argentina Data Protection Agency (“DPA”) announced that it had issued DNPDP Disposition 60 – a new regulation on international transfers of personal data (the “Regulation”).
On November 14, 2016, Lincoln Financial Securities Corp. (“LFS”), a subsidiary of Lincoln Financial Group, entered into a settlement (the “Settlement”) with the Financial Industry Regulatory Authority (“FINRA”), requiring LFS to pay a $650,000 fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.
On November 16, 2016, the UK Investigatory Powers Bill (the “Bill”) was approved by the UK House of Lords. Following ratification of the Bill by Royal Assent, which is expected before the end of 2016, the Bill will officially become law in the UK. The draft of the Bill has sparked controversy, as it will hand significant and wide-ranging powers to state surveillance agencies, and has been strongly criticized by some privacy and human rights advocacy groups.
On November 14, 2016, the National Institute of Standards and Technology (“NIST”) published guidance on cybersecurity for internet-connected devices, Systems Security Engineering: Considerations for A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (the “Guidance”). Citing “the continuing frequency, intensity, and adverse consequences of cyber-attacks,” the Guidance “addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems.”
This post has been updated.
On November 10, 2016, the Court of Appeal for Moscow’s Taginsky District upheld an August 2016 decision by the district’s lower court that LinkedIn had violated Russian data protection laws. Access to the professional networking site is now set to be blocked across Russia.
On November 7, 2016, Adobe Systems Inc. (“Adobe”) entered into an assurance of voluntary compliance (“AVC”) with 15 state attorneys general to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers. Under the terms of the AVC, Adobe must pay $1 million to the attorneys general and implement new data security policies and practices.
Only Three Days Left to Vote!
Hunton & Williams LLP is proud to announce our Privacy & Information Security Law Blog has been nominated in The Expert Institute’s 2016 Best Legal Blog Contest for Best AmLaw Blog of 2016. From all of the editors, lawyers and contributors that make our blog a success, we appreciate your continued support and readership, and ask that you please take a moment to vote for our blog!
The Privacy & Information Security Law Blog was ranked as the #1 Privacy & Data Security blog in LexBlog’s 2015 AmLaw 200 Blog Benchmark Report, and named PR News’ Best Legal PR Blog ...
As reported on the Insurance Recovery blog, earlier this week, retailer Tesco Plc’s (“Tesco”) banking branch reported that £2.5 million (approximately $3 million) had been stolen from 9,000 customer bank accounts over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank. The reported loss still is being investigated by UK authorities, but is believed to have occurred through the bank’s online banking system. The loss, which is about half of what Tesco initially estimated, is still substantial and serves as a strong reminder that ...
On November 9, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and AvePoint released the results of a joint global survey launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The GDPR replaces Directive 95/46/EC and will become applicable in May 2018.
On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions.
Join us at the International Association of Privacy Professionals (“IAPP”) Data Protection Congress in Brussels, November 9-10, 2016.
On November 7, 2016, the Standing Committee of the National People’s Congress of China enacted the final Cybersecurity Law after it held its third reading of the draft Cybersecurity Law on October 31, 2016. The first draft of the Cybersecurity Law was published for comment more than a year ago, followed by the second draft in July this year. The final Cybersecurity Law will apply from June 1, 2017.
On November 1, 2016, the FTC announced that a group of entities known as the Consumer Education Group (“CEG”) settled FTC charges that, between late 2013 and 2015, it made millions of telemarketing calls, including pre-recorded robocalls, to consumers on the national Do Not Call (“DNC”) Registry, in violation of the Telemarketing Sales Rule (“TSR”).
On October 24, 2016, the UK Secretary of State for Culture, Media and Sport confirmed that the UK will implement the EU General Data Protection Regulation (“GDPR”) by May 2018. The UK Information Commissioner, Elizabeth Denham, has officially welcomed this confirmation and said that the UK must stay on top of the continuing digital economy evolution. The Information Commissioner’s Office (“ICO”) will publish a revised timeline setting out what areas of guidance the ICO will be prioritizing over the next six months.
On November 3, 2016, the High Court of England and Wales handed down its judgment in the case of R (on the application of Santos) v. Secretary of State for Exiting the European Union [2016] EWHC 2768 (Admin). This high-profile and closely followed case concerns the process that must be followed to trigger Britain’s exit from the European Union. In particular, the question before the court was whether the Prime Minister can wield her executive powers to trigger the exit or if she needs Parliamentary approval before doing so. In reaching its decision, the Court ruled in favor of the claimants, meaning that the Prime Minister does not have the power to trigger Britain’s exit from the European Union, but instead must first obtain Parliamentary approval.
On October 31, 2016, the Standing Committee of the National People’s Congress of China held a third reading of the draft Cybersecurity Law (the “third draft”). As we previously reported, the second draft of the Cybersecurity Law was published for comment in June. The National People’s Congress has not yet published the full text of the third draft of the Cybersecurity Law.
On October 20, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP hosted a side workshop at the International Conference of Data Protection & Privacy Commissioners focused on transparency and risk assessment, entitled “The Role of Risk Assessment and Transparency in Enabling Organizational Accountability in the Digital Economy.” The workshop was led by Bojana Bellamy, CIPL’s President, and featured contributions from many leaders in the field, including the UK ICO, Belgium and Hong Kong’s Privacy Commissioners, and counsel and privacy officers from several multinational companies.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code