Privacy & Information Security Law Blog

This week, the Article 29 Working Party (“Working Party”) prepares to debate various proposals on the “one-stop-shop” mechanism under the proposed EU General Data Protection Regulation (“Regulation”). Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership submitted a strategy paper on the one-stop-shop to the Working Party. The paper proposes a methodology for selecting and defining the role of a lead regulatory authority with the objective of making the one-stop-shop more operational, flexible and viable. The work draws on a more detailed article published on November 3, 2014, by Hunton & Williams senior attorney Rosemary Jay in the magazine for the Society for Computers and Law, entitled The “One Stop Shop” – Working in Practice.

On October 8, 2014, the United States District Court for the Northern District of Georgia granted Cartoon Network, Inc.’s (“Cartoon Network’s”) motion to dismiss a putative class action alleging that Cartoon Network’s mobile app impermissibly disclosed users’ personally identifiable information (“PII”) to a third party data analytics company under the Video Privacy Protection Act (“VPPA”).

On November 3, 2014, the Federal Financial Institutions Examination Council (“FFIEC”), on behalf of its members, released a report entitled FFIEC Cybersecurity Assessment General Observations (the “Report”) that contains observations from recent cybersecurity assessments conducted at over 500 community financial institutions as part of the FFIEC cybersecurity examination work program. The Report summarizes themes from the assessments and provides suggested questions for chief executive officers and boards of directors to ask when assessing their institutions’ cybersecurity preparedness. In light of the assessments, the FFIEC announced that its members will review and update current FFIEC cybersecurity guidance.

On October 30, 2014, the Supreme Court of Canada extended the deadline for the province of Alberta to amend its Personal Information Protection Act (“PIPA”). In November 2013, the Supreme Court of Canada declared PIPA invalid because it interfered with the right to freedom of expression in the labor context under Section 2(b) of the Canadian Charter of Rights and Freedoms. The Supreme Court of Canada gave the Alberta legislature 12 months to determine how to make the legislation constitutionally compliant, which it apparently failed to do. The new deadline for amending PIPA is May 2015.

On October 24, 2014, the Federal Communications Commission announced that it intends to impose a $10 million fine on TerraCom, Inc. (“TerraCom”) and YourTel America, Inc. (“YourTel”) for violating privacy laws relating to their customers’ personal information. This announcement marks the FCC’s first enforcement action in the data security arena as well as its largest privacy action to date.

On October 28, 2014, the Federal Communications Commission announced that it has joined the Global Privacy Enforcement Network (“GPEN”), a network of approximately 50 privacy enforcement authorities from around the world. The FCC is the second U.S. privacy enforcement authority to join GPEN. The other U.S. member, the Federal Trade Commission, helped establish the network in 2010.

The UK government has announced proposals designed to make it easier for the Information Commissioner’s Office (“ICO”) to fine companies responsible for nuisance calls and text messages. Under the proposals, the current maximum fine of £500,000 would remain unchanged, but the threshold for imposing fines would be lowered.

The Council of the European Union has published proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation (“Regulation”). This proposal was led by the current Italian Presidency and the revisions reflect input from representatives of the national governments of the EU Member States.

On October 28, 2014, California Attorney General Kamala D. Harris announced the release of the second annual California Data Breach Report. The report provides information on data breaches reported to California’s Attorney General in 2012 and 2013. Overall, 167 breaches were reported by 136 different entities to California’s Attorney General in 2013. According to the report, 18.5 million records of California residents were compromised by these reported breaches, up more than 600 percent from the 2.6 million records compromised in 2012. In addition, the number of reported data breaches increased by 28 percent in 2013, rising from 131 in 2012 to 167 in 2013.

Eduardo Cunha, a congressman from the Brazilian Democratic Movement Party in Rio de Janeiro, recently introduced a new bill in Brazil that provides Brazilians with a right to be forgotten (PL 7881/2014). Rep. Cunha is one of the most influential congressmen in Brazil and has been reported likely to be the next Speaker of the Brazilian House of Representatives (also translated as the “Chamber of Deputies”).