Privacy & Information Security Law Blog

On January 21, 2015, the Federal Trade Commission announced that the U.S. District Court for the Central District of Illinois granted partial summary judgment on December 12, 2014, to the federal government in its action against Dish Network LLC (“Dish”), alleging that Dish violated certain aspects of the Telemarketing Sales Rule (“TSR”) that restrict placing calls to numbers on the National Do-Not-Call Registry and an entity’s internal Do-Not-Call list. The federal government is joined in the action against Dish by four state attorneys general alleging violations of the Telephone Consumer Protection Act and certain state laws related to telemarketing.

On January 12, 2015, the European Union Agency for Network and Information Security (“ENISA”) published a report on Privacy and Data Protection by Design - from policy to engineering (the “Report”). The “privacy by design” principle emphasizes the development of privacy protections at the early stages of the product or service development process, rather than at later stages. Although the principle has found its way into some proposed legislation (e.g., the proposed EU General Data Protection Regulation), its concrete implementation remains presently unclear. Hence, the Report aims to promote a discussion on how the principle can be implemented concretely and effectively with the help of engineering methods.

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.

On January 5, 2015, the State Administration for Industry and Commerce of the People’s Republic of China published its Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers (the “Measures”). The Measures contain a number of provisions defining circumstances or actions under which enterprise operators may be deemed to have infringed the rights or interests of consumers. These provisions are consistent with the basic rules in the currently effective P.R.C. Law on the Protection of Consumer Rights and Interests (“Consumer Protection Law”). The Measures will take effect on March 15, 2015.

On January 13, 2015, the French Data Protection Authority (the “CNIL”) published a Referential (the “Referential”) that specifies the requirements for organizations with a data protection officer (“DPO”) in France to obtain a seal for their data privacy governance procedures.

On January 13, 2015, President Obama announced legislative proposals and administration efforts with respect to cybersecurity, including a specific proposal for a national data breach notification standard. Aside from the national data breach notification standard, the President’s other proposals are designed to (1) encourage the private sector to increase the sharing of information related to cyber threats with the federal government and (2) modernize law enforcement to effectively prosecute illegal conduct related to cybersecurity.

On January 6, 2015, Federal Trade Commission Chairwoman Edith Ramirez gave the opening remarks on “Privacy and the IoT: Navigating Policy Issues” at the 2015 International Consumer Electronics Show (“International CES”) in Las Vegas, Nevada. She addressed the key challenges the Internet of Things (“IoT”) poses to consumer privacy and how companies can find appropriate solutions that build consumer trust.

On January 12, 2015, President Obama announced at the Federal Trade Commission several new initiatives on data security and consumer privacy as part of a weeklong focus on privacy and cybersecurity. He noted that on January 13 at the Department of Homeland Security, he would address how to improve protections against cyber attacks, and on January 14, he would address how more Americans can have access to faster and cheaper broadband Internet. He stated that the announcements he is making this week are “sneak previews” of the proposals he will make in next week’s State of the Union address.

On January 5, 2015, the Alameda County District Attorney’s Office announced that Safeway Inc. (“Safeway”) has agreed to pay $9.87 million to settle claims that the company unlawfully disposed of customer medical information and hazardous waste in violation of California’s Confidentiality of Medical Information Act and Hazardous Waste Control Law. In a series of waste inspections from 2012 to 2013, a group of California district attorneys and environmental regulators found that Safeway was disposing of both its pharmacy customers’ confidential information and various types of hazardous wastes in the company’s dumpsters. Based on the investigation, 42 California district attorneys and two city attorneys brought a complaint on December 31, 2014, alleging, among other things, that more than 500 Safeway stores and distribution centers engaged in the disposal of their customers’ medical information in a manner that did not preserve the confidentiality of the information.