Privacy & Information Security Law Blog

On July 25, 2017, the French Data Protection Authority (“CNIL”) published their decision on the adoption of several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”). The amendments reflect changes introduced by French law on December 9, 2016, regarding transparency, the fight against corruption and the modernization of the economy, also known as the “Sapin II Law.”

On July 27, 2017, the French Data Protection Authority (“CNIL”) imposed a fine of €40,000 on a French affiliate of the rental car company, The Hertz Corporation, for failure to ensure the security of website users’ personal data.

On July 27, 2017, Singapore submitted its notice of intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system and the APEC Privacy Recognition for Processors System (“PRP”). Singapore would be the sixth member of the CBPR system, joining Canada, Japan, Mexico, the United States and the newest member, South Korea. The announcement was made by Dr. Yaacob Ibrahim, Minister for Communication and Information, at the Personal Data Protection Seminar 2017.

Recently, Nevada enacted an online privacy policy law which will require operators of websites and online services to post a notice on their website regarding their privacy practices. The Nevada law contains content requirements for online privacy notices, specifying that the notice must (1) identify the categories of personally identifiable information (“PII”) collected through the website and the categories of third parties with whom PII may be shared; (2) provide information about users’ ability to review and request changes to PII collected through the website; (3) disclose whether third parties may collect information about users’ online activities from the website; and (4) provide an effective date of the notice.

On July 26, 2017, the Court of Justice of the European Union (“CJEU”) declared that the envisaged EU-Canada agreement on the transfer of Passenger Name Records (“PNR Agreement”) interferes with the fundamental right to respect for private life and the right to the protection of personal data and is therefore incompatible with EU law in its current form. This marks the first instance where the CJEU has been asked to rule on the compatibility of a draft international agreement with the European Charter of Fundamental Human Rights.

On July 21, 2017, the FTC announced its publication of “Stick with Security,” a series of blog posts on reasonable steps that companies should take to protect and secure consumer data. The posts will build on the FTC’s Start with Security Guide for Businesses, and will be based on the FTC’s 60+ law enforcement actions, closed investigations and questions from businesses. Every Friday for the next few months, the FTC will publish on its Business Blog a new post focusing on each of the 10 “Start with Security” principles.

The ABA Journal has announced that it is accepting nominations for its Web 100 Amici award, which recognizes legal blogs. We hope you will continue to show your support for Hunton & Williams’ Privacy & Information Security Law blog by nominating the blog for this award.

On July 25, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced the release of an updated web tool that highlights recent data breaches of health information.

On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

In the third segment of this three-part series, Lisa Sotto, head of the Global Privacy and Cybersecurity practice at Hunton & Williams, discusses with The Electronic Discovery Institute how to respond to a data breach. It’s necessary, says Sotto, to have appropriate processes in place before a breach occurs. The “most important first step is to ensure that, when an issue arises, it’s escalated appropriately.”

Watch the full video.