Privacy & Information Security Law Blog

On October 13, 2016, Elizabeth Denham, the UK Information Commissioner, suggested that directors of companies who violate data protection laws should be personally liable to pay fines at a House of Commons Public Bill Committee meeting when discussing the latest draft of the Digital Economy Bill (the “Bill”). The Bill is designed to enable businesses and individuals to access fast, digital communications services, promote investment in digital communications infrastructure and support the “digital transformation of government.” Measures to improve the digital landscape contained in the Bill include the introduction of a new Electronic Communications Code and more effective controls to protect citizens from nuisance calls. More controversially, however, the Bill also contains provisions both enabling and controlling the sharing of data between public authorities and private companies.

A recent study from the National Institute of Standards and Technology (“NIST”) warns that an overabundance of computer security measures might actually lead users to engage in “risky computing behavior at work and in their personal lives.”

On October 27, 2016, the Federal Communications Commission (“FCC”) will vote on whether to finalize proposed rules (the "Proposed Rules”) concerning new privacy restrictions for Internet Service Providers (“ISPs”). The Proposed Rules, which revise previous versions introduced earlier this year, would require customers’ explicit (or “opt-in”) consent before an ISP can use or share a customer’s personal data, including web browsing and app usage history, geolocation data, children’s information, health information, financial information, email and other message contents and Social Security numbers.

On October 3, 2016, the Texas Attorney General announced a $30,000 settlement with mobile app developer Juxta Labs, Inc. (“Juxta”) stemming from allegations that the company violated Texas consumer protection law by engaging in false, deceptive or misleading acts or practices regarding the collection of personal information from children.

On October 4, 2016, the U.S. Department of Defense (“DoD”) finalized its rule implementing the mandatory cyber incident reporting requirements for defense contractors under 10 U.S.C. §§ 391 and 393 (the “Rule”). The Rule applies to DoD contractors and subcontractors that are targets of any cyber incident with a potential adverse impact on information systems and “covered defense information” on those systems.

Episode 3: Lessons Learned

In the third segment of our 3-part series with Lawline, Lisa J. Sotto, head of our Global Privacy and Cybersecurity practice at Hunton & Williams LLP, discusses the details of the post-mortem following a data breach and the role of boards of directors before, during and after a breach. “We always want to revisit our incident response plan…and make changes to incorporate the lessons learned from a cyber event,” Sotto says. “We seek to ensure senior leadership understands how to prevent these events from happening in the future.”

In September, the Centre for Information Policy Leadership (“CIPL”) held its second GDPR Workshop in Paris as part of its two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster a culture of trust and collaboration between regulators and industry.  

On October 3, 2016, at the Paris Motor Show, the French Data Protection Authority ("CNIL") reported on the progress of a new compliance pack on connected vehicles. The work was launched on March 23, 2016, and should be finalized in Spring 2017.

On September 27, 2016, Cloud Infrastructure Services Providers in Europe (“CISPE”) published its Data Protection Code of Conduct (the “Code”). CISPE, a relatively new coalition of more than 20 cloud infrastructure providers with operations in Europe, has focused the Code on transparency and compliance with EU data protection laws.

On September 23, 2016, the European Data Protection Supervisor (the “EDPS”) released Opinion 8/2016 (the “Opinion”) on the coherent enforcement of fundamental rights in the age of big data. The Opinion updates the EDPS’ Preliminary Opinion on Privacy and Competitiveness in the Age of Big Data, first published in 2014, and provides practical recommendations on how the EU’s objectives and standards can be applied holistically across the EU institutions. According to the EDPS, the Digital Single Market Strategy presents an opportunity for a coherent approach with respect to the application of EU rules on data protection, consumer protection, antitrust enforcement and merger control. In addition, the EDPS calls for greater dialogue and cooperation between data protection, consumer and competition authorities in order to protect the rights and interests of individuals, including the rights to privacy, freedom of expression and non-discrimination.