Privacy & Information Security Law Blog

On September 14, 2011, the Article 29 Working Party (the “Working Party”) met with representatives of the European Advertising Standards Alliance (“EASA”) and IAB Europe, to discuss the industry’s new self-regulatory code of conduct for online behavioral advertising (the “Code”), which was released on April 14, 2011.

On September 15, 2011, the data protection authority of the German federal state of Hamburg (the “DPA”) published a press release confirming that Google has significantly improved compliance with respect to the implementation of Google Analytics in Germany.  This finding is the result of two years of fruitful dialog between Google and the DPA, which was acting on behalf of the conference of German data protection authorities responsible for the private sector (the “Düsseldorfer Kreis”).

On September 15, 2011, the U.S. House of Representatives Subcommittee on Commerce, Manufacturing and Technology held a hearing on “the impact and burden” of European privacy regulation.  Paula Bruening, former Vice President of the Centre for Information Policy Leadership at Hunton & Williams LLP, was one of five witnesses who testified at the hearing.

On September 8, 2011, Richard Allan, Facebook’s Director of European Public Policy, met with the German Federal Ministry of the Interior (the “Ministry”) and endorsed the Ministry’s initiative for a future self-regulatory code for social networks with a focus on data security, consumer protection and the protection of minors.

On September 12, 2011, the Commissioner for Data Protection and Freedom of Information of the German federal state of North Rhine-Westphalia (“DPA”) imposed a fine of €60,000 on Easycash GmbH (“Easycash”), a leading German service provider for electronic payments.

Over the past several weeks, online tracking practices involving the use of Flash cookies and ETags have been the subject of new research studies, class action lawsuits and significant media attention.

On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information.  Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.

As reported in the Hunton Employment & Labor Perspectives Blog, on August 18, 2011, the National Labor Relations Board’s Acting General Counsel issued a report discussing fourteen social media cases recently decided by the Board.  The cases highlighted in the report offer insight regarding how the NLRB will handle various social media issues in the future.

Read the full post, which provides an overview of several of the cases highlighted in the NLRB’s report.

On August 5, 2011, the Beijing Second Intermediate People’s Court announced its decision in what is reported to be the largest criminal case to date involving the misuse of personal information in Beijing, China.  The Court based its ruling on Article 7 of the Seventh Amendment to the Criminal Law, which applies to three types of criminal activities: (1) illegal sale of citizens’ personal information, (2) illegal provision of citizens’ personal information, and (3) illegal access to citizens’ personal information.

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  Specifically, the Ordinance amends the existing legal framework concerning cookies and introduces an opt-in regime for the use of cookies.

On August 19, 2011, the Data Protection Commissioner’s Office of the German federal state of Schleswig-Holstein (“ULD”) ordered all businesses in that state “to shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’-button from their websites.”  Although this warning is specific to Facebook users, the regulator’s explanation of its motives reveals a fundamental concern about common data analytics practices:

“By using the Facebook service traffic and content data are transferred into the USA and a qualified feedback is sent back to the website owner concerning the web page usage, the so called web analytics (Ger.: Reichweitenanalyse).  Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years.  Facebook builds a broad individual and for members even a personalised profile.  Such a profiling infringes German and European data protection law.  There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use.”

The Department of Commerce released an English translation of Peru’s Law for Personal Data Protection (Ley de Protección de Datos Personales, Ley No. 29733).  The law passed Peru’s Congress on June 7, 2011, and was signed by the president July 2, 2011.  Peru’s adoption of this new law is in keeping with a recent trend in Latin America, where Uruguay, Mexico and Colombia also have passed privacy legislation.

On July 27, 2011, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) published a draft rule including provisions regulating the processing of personal information by “Internet Information Service Providers.”  The draft rule, entitled “Provisions on the Administration of Internet Information Services” (the “Draft Provisions”), is not the first rule regulating Internet information services in China.  In 2000, the MIIT enacted the “Measures for the Administration of Internet Information Services” (the “Measures”), which took effect on September 25, 2000.  However, the Measures do not include any explicit provisions addressing the protection of personal information.

On July 25, 2011, Netflix stated that it will hold off on the launch of its Facebook integration in the U.S. due to legal issues related to the Video Privacy Protection Act (“VPPA”).  The new Facebook feature would allow Netflix subscribers to share their movie viewing information with friends online.  Netflix indicated in its second quarter shareholder letter that it supports House Bill 2471 (“H.B. 2471”), a proposed bipartisan amendment to the VPPA intended to clarify the consent requirement for sharing consumer video viewing information.  The letter states that “[u]nder the VPPA, it is ambiguous when and how a user can give permission for his or her video viewing data to be shared” and that the VPPA “discourages us from launching our Facebook integration domestically.”  As a result, the company plans to limit the campaign to Canada and Latin America until questions concerning the VPPA are resolved.

As reported in BNA’s Privacy Law Watch, on July 19, 2011, President Obama announced his intention to nominate Maureen K. Ohlhausen to the Federal Trade Commission. Obama sent his official nomination to the Senate on July 21, 2011. If approved, Ohlhausen will serve a seven-year term beginning on September 26, 2011, replacing Commissioner William E. Kovacic.

On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework.  The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent.  In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

On July 12, 2011, Stanford Law School’s Center for Internet and Society reported the preliminary results of tests conducted with experimental software designed to detect third-party tracking.  Over the months spent developing “a platform for measuring dynamic web content,” researchers at the Stanford Security Lab analyzed tracking on the websites of Network Advertising Initiative (“NAI”) participants by observing how cookies are altered when a user opts out of behavioral tracking on the NAI website, or enables Do Not Track.

In April 2011, a technical malfunction suffered by the Amazon Elastic Compute Cloud resulted in a multi-day outage affecting hundreds of businesses.  The incident offered high-profile evidence of both the widespread popularity of cloud computing and the potential consequences of storing company data in the cloud.  It also drew attention to cloud service contracts, raising questions about performance levels and backups in the event of a service disruption.  With more and more businesses seeking to take advantage of the efficiency and cost savings offered by cloud computing, the ...

Adam Kardash from Heenan Blaikie LLP in Canada reports that Industry Canada and the Canadian Radio-television and Telecommunications Commission (“CRTC”) have released draft regulations for Canada’s Anti-Spam Legislation (“CASL”).  CASL imposes a consent-based anti-spam regime that restricts organizations’ ability to send commercial electronic messages.  Industry Canada and the CRTC are charged with the task of implementing regulations under CASL.

As reported in BNA’s Privacy Law Watch, on July 2, 2011, Peruvian President Alan García signed the Personal Data Protection Law (Ley de Protección de Datos Personales, Ley No. 29733), making Peru the latest Latin American country to adopt EU-style omnibus privacy legislation.  Implementing rules for the new law are to be drafted in the next few months.

On June 27, 2011, the Federal Trade Commission announced that it had reached a settlement with Teletrack, Inc. (“Teletrack”), a consumer reporting agency that sells consumer reports and other services to businesses that serve financially distressed consumers, after alleging that the company had sold information obtained through its consumer reporting business to marketers to create a marketing database. The FTC considered that the information sold by Teletrack, which included lists of consumers who applied for certain credit products, constituted “consumer ...

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  

Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada.  As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology.  According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.

On June 13, 2011, Representative Mary Bono Mack (R-CA) released a discussion draft of the Secure and Fortify Data Act (the “SAFE Data Act”), which is designed to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.”  Representative Bono Mack is Chairman of the House Subcommittee on Commerce, Manufacturing and Trade.  In a press release, Representative Bono Mack remarked that “E-commerce is a vital and growing part of our economy.  We should take steps to embrace and protect it – and that starts with robust cyber security.”  She added that “consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”

On June 10, 2011, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the Federal Trade Commission, claiming that Facebook’s facial recognition and automated online image identification features harm consumers and constitute “unfair and deceptive acts and practices.” According to a post on The Facebook Blog, the Tag Suggestions feature matches uploaded “new photos to other photos [the user is] tagged in.”  Facebook then “[groups] similar photos together and, whenever possible, suggest[s] the name of the friend in the photos.”  On June 13, 2011, Congressman Edward Markey (D-MA) released a statement supporting the complaint and indicating that he will “continue to closely monitor this issue.”

On June 8, 2011, the Department of Commerce’s Internet Policy Task Force released a report entitled “Cybersecurity, Innovation and the Internet Economy.”  The report contains four broad policy recommendations: (1) the creation of a nationally recognized approach to minimize vulnerabilities for the Internet and networking services industry, (2) the development of incentives to combat cybersecurity threats, (3) increased cybersecurity education and research, and (4) the promotion of international cooperation to enable sharing of cybersecurity best practices.

On June 7, 2011, Senator Patrick Leahy (D-VT) introduced the “Personal Data Privacy and Security Act of 2011” (the “Act”), co-sponsored by Senators Charles Schumer (D-NY) and Ben Cardin (D-MD).  This marks the fourth time Senator Leahy has introduced ambitious privacy legislation; in 2005, 2007 and 2009, similar bills failed to advance in the Senate.  In his press release, Senator Leahy stated that “many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009.  The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

According to a complaint submitted to the Federal Trade Commission on May 11, 2011, the popular cloud-based data storage provider Dropbox, Inc. made false claims about the security of its users’ data, thereby putting them at risk while gaining an unfair advantage over competitors that actually offer the sort of security Dropbox advertised.  The Dropbox service allows users to create folders on their computers that automatically sync with corresponding folders on Dropbox’s servers.  Users can specify whether their folders are public or private.  The allegations concern the folders designated as private, which are touted as being protected by encryption.  According to the complaint, which was filed by Christopher Soghoian (a security researcher and former technologist at the FTC’s Division of Privacy and Identity Protection), although Dropbox represented that its encryption features would render a user’s files completely inaccessible to any person other than the user, in fact, Dropbox employees maintained copies of the encryption keys and could therefore access the contents of users’ files.  This left Dropbox users’ files susceptible to unauthorized access (e.g., governmental demands for data, hacking attacks, rogue insiders).

On May 11, 2011, in Thomas Robins v. Spokeo, Inc., the United States District Court for the Central District of California granted in part and denied in part defendant Spokeo, Inc.’s motion to dismiss claims that it violated the Fair Credit Reporting Act (“FCRA”).  The ruling allows the plaintiff to continue his action against Spokeo, a website that aggregates data about individuals from both online and offline sources.

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

As we reported last week, on May 12, 2011, the Obama administration announced a comprehensive cybersecurity legislative proposal in a letter to Congress.  The proposal, which is the culmination of two years of work by an interagency team made up of representatives from multiple departments and agencies, aims to improve the nation’s cybersecurity and protect critical infrastructure.  If enacted, this legislation will affect many government and private-sector owners and operators of cyber systems, including all critical infrastructure, such as energy, financial systems, manufacturing, communications and transportation.  In addition, the proposal includes a wide-reaching data breach notification law that is intended generally to preempt the existing state breach laws in 46 states plus Washington, D.C., Puerto Rico and the U.S. Virgin Islands.

A new bill proposed in California, the Social Networking Privacy Act (the “Act”), would force social networking websites to establish default privacy settings for their users that prohibit such sites from publicly displaying most information about users without the users’ consent.  Given that many social networking websites currently have default settings that make user personal information and photos public unless the user changes those settings, the Act would represent a fundamental shift in social networking privacy.

From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent.  This change poses significant practical challenges for website operators.  In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.

On May 12, 2011, the Federal Trade Commission announced that Playdom, Inc., a Disney subsidiary, has agreed to pay $3 million to settle charges that the company violated Section 5 of the FTC Act and the Children’s Online Privacy Protection Rule (“COPPA Rule”) “by illegally collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent.”  This settlement marks the largest civil penalty imposed for an FTC COPPA Rule violation.

On May 9, 2011, Senator Jay Rockefeller (D-WV), the Chairman of the Senate Committee on Commerce, Science and Transportation, introduced the “Do-Not-Track Online Act of 2011” (the “Act”).  The Act instructs the Federal Trade Commission to promulgate regulations that would (1) create standards for the implementation of a “Do Not Track” mechanism that would enable individuals to express a desire to not be tracked online and (2) prohibit online service providers from tracking individuals who express such a desire.  The regulations would allow online service providers to track individuals who do not want to be tracked only if (1) the tracking is necessary to provide a service requested by the individual (and the individuals’ information is anonymized or deleted when the service is provided), or (2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.

On May 2, 2011, Sony Computer Entertainment America (“Sony”) disclosed that hackers had gained access to the personal information of 24.6 million customers who played games on the Sony Online Entertainment (“SOE”) network.  Sony stated that hackers may have accessed names, addresses and birth dates of SOE gaming customers, as well as credit card data of about 12,700 non-U.S. accounts and 10,700 bank account numbers from “an outdated database from 2007.”  Sony clarified that the SOE breach was not the result of a second attack, but rather occurred as part of the broad incursion against the company that affected 77 million PlayStation accounts, as the company previously disclosed on April 26.

Austrian DPA Gives Green Light Subject to Conditions

On April 21, 2011, the Austrian Data Protection Commission (“Austrian DPA”) published its decision allowing Google to register its Google Street View application on the Austrian DPA’s data processing register.  As part of the registration procedure, Google agreed to blur images of faces and license plates prior to publishing them on the Internet, and to provide information to the public about the right to object to publication of certain images.  Further, the Austrian DPA required Google to:

On April 25, 2011, Legal Bisnow interviewed Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, and Hunton & Williams partner Lisa Sotto about hot topics in privacy and data protection.

Read Legal Bisnow’s article, “Hottest Practice Area?”.

On April 26, 2011, the French Data Protection Authority (the “CNIL”) issued a press release unveiling its inspection goals for the coming year.  In a report adopted on March 24, 2011, the CNIL indicated that it intends to conduct at least 400 inspections in France (100 more than the 2010 goal), with a special focus on the following issues:

On April 11, 2011, the United States District Court for the Northern District of California declined to dismiss four of the nine claims in a class action lawsuit filed against RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites.  The suit stems from a December 2009 security breach caused by an SQL injection flaw that resulted in the exposure of unencrypted user names and passwords of approximately 32 million RockYou users.  RockYou subsequently fixed the error and acknowledged in a public statement that “one or more individuals had illegally breached its databases” and that “at the time of the breach, the hacked database had not been up to date with industry standard security protocols.”  After receiving notification of the security breach from RockYou in mid-December, on December 28, 2009, a RockYou user who had signed up for a photo-sharing application filed a complaint seeking injunctive relief and damages for himself and on behalf of all other similarly-situated individuals.

On April 14, 2011, the European Advertising Standards Alliance (“EASA”) and IAB Europe released complementary new self-regulatory standards for online behavioral advertising.  This cross-industry initiative is aimed at enhancing European consumers’ control over their data and ensuring transparency, particularly with respect to advertisements that are delivered using third party online behavioral advertising.

On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).

The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years.  To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.

On April 15, 2011, the United Kingdom’s Department for Culture, Media and Sport (“DCMS”) announced that the UK will adopt the new EU rules on cookies without “gold-plating” the regulations by imposing additional national requirements, to help ensure that British companies can compete with the rest of Europe.  As we previously reported, the UK government had reassured businesses that it would carry out the implementation in a manner that would minimize the impact on businesses and consumers.

On April 13, 2011, Representative Cliff Stearns (R-FL) introduced the Consumer Privacy Protection Act of 2011 (the “Act”), which seeks to “protect and enhance consumer privacy” both online and offline by imposing certain notice and choice requirements with respect to the collection and use of personal information.

On April 12, 2011, U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the “Act”) to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.”  The bill applies broadly to entities that collect, use, transfer or store the “covered information” of more than 5,000 individuals over a consecutive 12-month period.  Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities.

On March 30, 2011, the Federal Trade Commission announced that Google agreed to settle charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010.  According to the FTC’s complaint (main document, exhibits), Google led Gmail users to believe that they could choose whether or not they wanted to join Google Buzz.  The options for declining or leaving Google Buzz, however, were ineffective.  For those who joined Google Buzz, the controls for limiting the sharing of their personal information were difficult to locate and confusing.  Furthermore, the FTC charged that Google violated its privacy policies by using information provided for Gmail for another purpose – social networking – without obtaining consumers’ permission in advance.  Finally, the FTC alleged that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor framework because it failed to give consumers notice and choice before using their information for a different purpose from that for which it was collected.

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

An employer who allegedly posted to an employee’s Facebook and Twitter accounts without her consent may face liability for its actions, according to a federal judge in Illinois.  The case is Maremont v. Susan Fredman Design Group, Ltd., in the U.S. District Court for the Northern District of Illinois (2011 U.S. Dist. LEXIS 26441, March 15, 2011).

The Plaintiff, Jill E. Maremont, worked as the Director of Marketing, Public Relations and E-Commerce for an interior designer and her company, Susan Fredman and the Susan Fredman Design Group, Ltd. (Defendants).  Maremont contends she created a “popular personal following” on Facebook and Twitter, and she also created a company blog called “Designer Diaries: Tales from the Interior.”

On March 16, 2011, at a U.S. Senate Commerce Committee hearing, Senator John Kerry (D-Mass.) announced his intention to introduce privacy legislation that would create “a common code of conduct that respects the rights of both the people sharing their information and legitimate organizations collecting and using it on fair terms and conditions.”  Kerry indicated that he had “reached out to our colleagues on both sides of the aisle, to privacy experts at firms, in academia, and in the advocacy community,” and asked for input into the process from witnesses at the hearing.

On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.

In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars.  Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.

On March 11, 2011, Virginia resident Peter Comstock filed a class action complaint against Netflix, Inc. in the United States District Court for the Northern District of California.  According to the complaint, Netflix “tracks its users’ viewing habits with respect to both videos watched over the Internet...and physical movies ordered through the Internet and watched at home,” while encouraging “subscribers to rank the videos they watch.”  The complaint alleges that Netflix’s practice of maintaining customer movie rental history and recommendations, “long after subscribers cancel their Netflix subscription,” violates the federal Video Privacy Protection Act (“VPPA”), and California’s Customer Records Act and Unfair Competition Law.  In addition, the complaint alleges that Netflix’s failure to properly store user information and its sale of customer data to third parties led to its unjust enrichment and a breach of its fiduciary duty.  Comstock and the putative class are seeking both an injunction to stop Netflix’s current practices and monetary damages.

On March 16, 2011, U.S. Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling called on Congress to enact robust, baseline legislation to “reform consumer data privacy in the Internet economy.” Speaking before the U.S. Senate Committee on Commerce, Science and Transportation, Assistant Secretary Strickling emphasized the Department of Commerce’s support for a legislative proposal that would adopt many of the recommendations of the “Green Paper,” a Department report authored last December.

On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”

On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels.  The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.

On March 11, 2011, the Federal Trade Commission finalized a proposed settlement with Twitter, which resolved allegations that Twitter deceived consumers and failed to safeguard their personal information. The FTC first announced the proposed settlement in June 2010. Specifically, the FTC claimed that Twitter, contrary to its privacy policy statements, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Intruders exploited these failures and obtained administrative control of the Twitter system. These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.

On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.

The Committee of Experts on New Media (the “Expert Committee”) of the Council of Europe (“CoE”) has issued draft recommendations and guidelines regarding the protection of human rights by search engines and social networking providers. The draft recommendations and guidelines observe that the way in which search engines and social networking providers operate impacts various human rights, especially the rights to freedom of expression and information and the right to privacy and data protection. Current drafts of both sets of recommendations and guidelines are open for public consultation and comments until March 18, 2011.

On March 4, 2011, Congressman Cliff Stearns (R-FL) announced plans to introduce new online privacy legislation. The proposed bill is based on legislation Stearns drafted in 2005, the Consumer Privacy Protection Act, which was not reported out of committee. While speaking at a Technology Policy Institute event, “Online Privacy After the DOC and FTC Reports,” Stearns stressed that this new legislation would seek to balance “privacy with innovation,” protecting the interests of both businesses and their online customers.

According to Stearns, “[t]he goal of the ...

A draft document, entitled Information Security Technology - Guidelines for Personal Information Protection, has been issued in China for comment.  While comments are being solicited at this time, if issued in its proposed form, this document has the potential to add significantly to the rules governing the handling of personal information in China.  Read More...

The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

On February 14, 2011, Senator Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, announced the creation of a subcommittee on Privacy, Technology and the Law.  The subcommittee will be chaired by Senator Al Franken (D-MN), and its jurisdiction will include oversight of laws and policies that govern the commercial collection, use and dissemination of personal information.  Senator Franken said, “The boom of new technologies…has also put an unprecedented amount of personal information into the hands of large companies that are unknown and unaccountable to the ...

On February 10, 2011, Representative Bobby Rush (D-Ill.) re-introduced the BEST PRACTICES Act (H.R. 611), which aims to provide consumers with meaningful choices about the collection, use and disclosure of their personal information. As we reported last year, Rush initially introduced the BEST PRACTICES Act in July 2010.  H.R. 611 contains no substantive changes to the original legislation (H.R. 5777), and does not include a Do Not Track mechanism.

In a press release issued today, Rush stated that he does not oppose Do Not Track, contending that “[i]n fact, in order for ...

On February 11, 2011, Representative Jackie Speier (D-Calif.) introduced two pieces of legislation that, in her words, “send a clear message—privacy over profit.” The Do Not Track Me Online Act of 2011 (HR 654), would direct the Federal Trade Commission to promulgate regulations that establish standards for a “Do Not Track” mechanism. The regulations also would require covered entities to disclose their information practices to consumers, and to respect consumers’ choices regarding the collection and use of their information. 

The National Institute of Standards and Technology (“NIST”) has issued draft Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) (the “Guidelines”) for public comment. The Guidelines provide an overview of the security and privacy challenges pertinent to public cloud computing, and identify considerations for organizations outsourcing data, applications and infrastructure to a public cloud environment. The Guidelines are intended for use by federal agencies. Use in nongovernmental settings is voluntary.

Connecticut’s newly-elected Attorney General George Jepsen recently announced an agreement with Google, Inc. concerning the company’s refusal to comply with a Civil Investigative Demand brought by his predecessor, freshman Senator Richard Blumenthal (D-CT).  According to a January 28, 2011 press release, to facilitate settlement discussions with the Connecticut-led, 40-state coalition, Google will stipulate that “payload data” compiled in 2008 and 2009 “contained URLs of requested Web pages, partial or complete e-mail communications or other information, including confidential and private information” transmitted by individuals across unsecured wireless networks.

On January 28, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments with the United States Department of Commerce in which the Centre stressed privacy governance based on data stewardship by accountable organizations.  The Centre was one of a number of organizations that submitted comments in response to the Department of Commerce’s privacy paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” which was released in December 2010.  The theme of today’s comments is similar to that which the Centre suggested earlier this month in its comments responding to the European Commission’s consultation paper.

The Federal Trade Commission announced today that it is extending the deadline for public comments on its December 1, 2010 report, “Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers.”  In light of the complex issues raised by the report, a number of organizations requested an extension of the original January 31, 2011 deadline.  Stakeholders now have until February 18, 2011, to submit their comments.

On January 17, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released a response to the European Commission’s consultation paper, “A comprehensive approach on personal data protection in the European Union.”  In its response, prepared by Richard Thomas, former UK Information Commissioner and Global Strategy Advisor of the Centre, the Centre calls for a modernized European framework for data protection that addresses the realities of the digital age.

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

On January 12, 2011, Adobe Systems Incorporated (“Adobe”) announced in its Adobe Flash Platform Blog that it is working with browser vendors to integrate control features into browser user interfaces that will allow users to more easily control local shared objects (“LSOs”) on their computers.  Local shared objects, often referred to as Flash cookies, store information about online activity, including things like browsing history, login details and preferences.  In August 2010, we reported on several lawsuits that had been filed against online advertising networks for, among other things, using Flash cookies to re-create deleted browser cookies.

In late December 2010, consumers filed two class action lawsuits against Apple Inc., claiming that several applications they downloaded from Apple’s App Store sent their personal information to third parties without their consent.  Specifically, the consumers claim that Apple allowed third party advertising networks to follow user activity through the Unique Device Identifiers that Apple assigns each device that downloads applications.  The complaint, filed in the U.S. District Court for the Northern District of California, also named several application developers such as Pandora and The Weather Channel as co-defendants.

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.

The Centre for Information Policy Leadership at Hunton & Williams has issued the following statement about the U.S. Department of Commerce’s “Green Paper” released on December 16:

The Centre for Information Policy Leadership congratulates the Department of Commerce on the release of its Green Paper, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” and commends the Department for the extensive outreach and research it conducted to inform the document. 

On December 14, 2010, the United States Court of Appeals for the Sixth Circuit ruled in United States v. Warshak that a “subscriber enjoys a reasonable expectation of privacy in the content of emails” stored, sent or received through a commercial internet service provider (“ISP”).  According to the court, the government must have a search warrant before it can compel a commercial ISP to turn over the contents of a subscriber’s emails.

In 2008, a jury sitting in the Southern District of Ohio convicted defendants Steven Warshak, Harriet Warshak and TCI Media, Inc. of various crimes relating to defrauding customers of Berkeley Premium Nutraceuticals, Inc.  Before trial, Warshak’s motion to exclude thousands of emails that the government obtained from his ISP was denied.  The defendants appealed their convictions, arguing that the government’s warrantless seizure of Warshak’s private emails violated the Fourth Amendment’s prohibition on unreasonable searches and seizures.

As previously reported, on December 16, 2010, the U.S. Department of Commerce released its Green Paper “aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth.”

During a press teleconference earlier that morning announcing the release of the Green Paper, Secretary Gary Locke commented on the Green Paper’s recommendation of adopting a baseline commercial data privacy framework, or a “privacy bill of rights,” built on an expanded, revitalized set of Fair Information Practice Principles (“FIPPs”).  He indicated that baseline FIPPs would respond to consumer concerns and help increase consumer trust.  The Secretary emphasized that the Department of Commerce would look to stakeholders to help flesh out appropriate frameworks for specific industry sectors and various types of data processing.  He also noted that the agency is soliciting comments on how best to give the framework the “teeth” necessary to make it effective.  The Secretary added that the Department of Commerce is also open to public comment regarding whether the framework should be enforced through legislation or simply by conferring power on the Federal Trade Commission.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Bill C-28, the Fighting Internet and Wireless Spam bill, received Royal Assent on December 15, 2010.  The centerpiece of the Act are prohibitions aimed at preventing spam, but the law also includes regulations to combat phishing and protect users from online malware.  Specifically, among other things, the legislation would prohibit:

• sending commercial electronic messages (including emails and text messages) without consent (subject to certain limited exceptions);
• altering transmission data on email messages; and
• the installation of computer programs without express consent.

On December 10, 2010, Senior Advisor to U.S. Senator John Kerry (D-Mass.), Daniel Sepulveda, briefed the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) members on Senator Kerry’s forthcoming privacy legislation.  The bill, which will be introduced next Congress, aims to establish a regulatory framework for the comprehensive protection of individuals’ personal data that authorizes rulemakings by the Federal Trade Commission.

The Yomiuri Shimbun has been following a story regarding the November 25, 2010, release by a Tokyo publisher of a book containing Tokyo Metropolitan Police Department anti-terrorism documents that were leaked on the Internet in October.  According to reports, the book (“Leaked Police Terrorism Info: All Data”) contains 469 pages of unedited personal information of foreign residents who are being monitored by Japanese authorities, as well as the names of the police officers involved in the cases and individuals who have cooperated with police investigations.  On November 29, a ...

On December 7, 2010, Microsoft announced in a blog post that Internet Explorer 9 will feature a new “opt-in mechanism” and “Tracking Protection Lists” to help consumers control tracking of their online activity.  Since the Federal Trade Commission released its privacy report last week, there has been considerable debate regarding consumer protection on the Internet, especially with respect to the “Do Not Track” concept.  Microsoft’s blog post states, “We believe that the combination of consumer opt-in, an open platform for publishing of Tracking Protection ...

On December 1, 2010, the German Federal Ministry of the Interior (the “BMI”) issued a paper entitled “Data Protection on the Internet,” which contains a draft law to protect against particularly serious violations of privacy rights online.

On December 2, 2010, discussions about privacy continued at a hearing on “Do Not Track Legislation: Is Now the Right Time?” held by the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection.  The hearing focused on a variety of consumer privacy issues, including the implications and challenges of a Do Not Track mechanism, the consumer’s desire for more control over the collection and use of their data and tracking practices, and the need to preserve an advertising supported Internet that promotes economic growth through online business.

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

On December 1, 2010, the Federal Trade Commission released its long-awaited report on online privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”  Observers expected the report to address the concept of privacy by design, the burdens placed on consumers to read and understand privacy notices and make privacy choices, the provision of individual access to personal data and the rights of consumers with respect to Internet tracking.  The FTC report introduces a privacy framework to “establish certain common assumptions and bedrock protections on which both consumers and businesses can rely as they engage in commerce.”  It includes the following elements:

David Vladeck, Director of the FTC’s Division of Consumer Protection, this morning previewed the long-awaited FTC report that sums up months of discussion regarding the future of privacy regulation in the United States and examines the viability of a Do Not Track mechanism.  Vladeck indicated at the Consumer Watchdog Policy Conference that the existing privacy framework in the U.S. is not keeping pace with new technologies.  In addition, he stated that the pace of industry self-regulation, while constructive, has been too slow.  According to Vladeck, the report will address several major themes, including the following:

On November 19, 2010, the UK Information Commissioner’s Office (the “ICO”) announced that Google has signed an undertaking committing it to improve its data processing practices.  The undertaking follows an ICO investigation into the collection of payload data by Google Street View cars in the UK.  Google’s Senior Vice President, Alan Eustace, signed the undertaking on behalf of Google, Inc.

On November 15, 2010, the Centre for Information Policy Leadership filed comments with the Department of Commerce in response to the Department’s Notice of Inquiry (“NOI”) on the Global Free Flow of Information on the Internet.  The NOI was issued pursuant to an examination by the Department’s Internet Policy Task Force of issues related to restrictions on information flows on the Internet.  The NOI poses wide-ranging questions related to why such restrictions were instituted; the impact restrictions may have on innovation, economic development, global trade and investment; and how best to deal with any negative effects.  In the NOI, the Department acknowledges the benefits that businesses, emerging entrepreneurs and consumers derive from the ability to transmit information quickly and efficiently both domestically and internationally.  It also recognizes the integral role the free flow of information plays in promoting economic growth and democratic values essential to free markets and free societies.  The Department also articulated goals such as helping industry and other stakeholders operate in diverse Internet environments, and identifying policies that will advance economic growth and create job opportunities for Americans.

On November 10, 2010, the American Bar Association’s Section of Antitrust Law’s International Committee and Corporate Counseling Committee hosted a webinar on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference?”.  A panel of senior officials and private sector experts provided insights on emerging cross-border data privacy and security issues.  Hunton & Williams partner Lisa Sotto was tapped to moderate an outstanding panel which included Billy Hawkes, Commissioner, Office of the Data Protection Commissioner ...

In a move toward implementation of the EU e-Privacy Directive, on November 3, 2010, the Dutch Minister of Economic Affairs submitted a bill to the Dutch Parliament that would amend the Dutch Telecommunications Act to obligate telecom and internet service providers to provide notification of data security breaches, and require consent for the use of cookies (the “Bill”).

The proposed Bill would require telecom and internet service providers to notify the Dutch Telecom Authority (the “OPTA”) without delay in the event of a security breach involving personal data.  They also would be required to notify affected individuals without delay if the breach is likely to have an adverse effect on the protection of their personal data.  The Bill does not affect initiatives to introduce a broader data breach notification regime applicable to other industries outside the telecom sector.  The Dutch Minister of Justice recently stated that he expects to issue a proposal to implement a more general data breach notification law in 2011.

Earlier today, a Department of Commerce official briefed Hunton & Williams and Centre for Information Policy Leadership representatives on the Department’s forthcoming “Green Paper” on privacy.  On November 12, 2010, Telecommunications Reports Daily published an article based on information obtained from an unofficial, pre-release draft version of the Green Paper.  It remains to be seen which portions of the leaked draft ultimately will survive the interagency approval process currently underway.  The Department of Commerce representative emphasized that the content of the draft Green Paper currently undergoing review is consistent with Assistant Secretary of Commerce Larry Strickling’s October 27, 2010, speech in Jerusalem.  In his speech, Secretary Strickling explained that the Department is calling it a “Green” Paper, “not because of its environmental impact, but because it contains both recommendations and a further set of questions on topics about which [the Department] seek[s] further input.”

As the EU released new data protection proposals recommending stricter controls on individual online privacy, Hunton & Williams Brussels counsel Wim Nauwelaerts appeared on BBC TV and spoke to the Associated Press and The New York Times.  The articles also were featured globally in Forbes Magazine, Bloomberg Businessweek, CNBC, The International-Herald Tribune, The Parliament Magazine and other media sources.  London partner Bridget Treacy spoke with The Wall Street Journal, and the firm’s practice head Lisa Sotto spoke with The Washington Post.

Representative Rick Boucher (D-VA), current head of the House Subcommittee on Communications, Technology and the Internet, lost his reelection bid yesterday to Republican Morgan Griffith, the Majority Leader of the Virginia House of Delegates.  Representative Boucher, widely recognized and respected for his legislative efforts in the areas of technology, telecommunications and privacy law, co-authored the CAN-SPAM Act and also introduced draft privacy legislation earlier this year.  Congressman Boucher’s defeat leaves the House Subcommittee on Communications, Technology and the Internet panel without its top Democrat, and it is unclear who will fill that leadership vacancy.

The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK.  The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”

While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.

The White House recently announced on its official blog that the National Science and Technology Council’s Committee on Technology has launched a new Subcommittee on Privacy and Internet Policy.  The subcommittee will be co-chaired by a representative from the Department of Commerce and the Department of Justice and will include representatives from over a dozen other departments and federal agencies, such as the Department of Health and Human Services and the National Security Council.  The goal of the subcommittee is to “develop principles and strategic directions” that will foster “consensus in legislative, regulatory, and international Internet policy realms.”  Some of these principles include “facilitating transparency, promoting cooperation, empowering individuals to make informed and intelligent choices, strengthening multi-stakeholder governance models, and building trust in online environments.”

The International Conference of Data Protection and Privacy Commissioners is convening in Jerusalem.  Appropriately, given the ancient history of the host city, the conference theme is “Privacy: Generations.”  The debate on Day One has drawn on the founding principles of data protection, but also has heavily focused on the future challenges in safeguarding the fundamental rights of privacy and data protection in a world of ubiquitous computing and social networking.

The tone was set in the opening plenary when Dr. Yuval Steinitz, the Israeli Minister of Finance, reminded us of the key tensions in privacy policy.  While privacy may be a fundamental tenet of every democracy, individual cultures must make choices between the competing values of privacy and security, and privacy and transparency.  The balance between these values, and the priority given to one over the other, will shift over time and from one culture to another.  The conference provides a timely opportunity to reassess where that balance currently lies, and what balance may be appropriate in the near future.

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

A recent New York state trial court decision, Romano v. Steelcase Inc., et al., is representative of a recent trend of parties seeking, and courts permitting, discovery of information on social networking sites such as Facebook and MySpace.  Rejecting the plaintiff’s privacy concerns, the Romano court held that such information is discoverable because the plaintiff’s damages are at issue.  The court ordered the release of the plaintiff’s postings, pictures and other information on the social networking sites.