Privacy & Information Security Law Blog

On January 28, 2015, in connection with Data Protection Day, newly appointed European Data Protection Supervisor (“EDPS”) Giovanni Buttarelli spoke about future challenges for data protection. Buttareli encouraged the EU “to lead by example as a beacon of respect for digital rights,” and “to be at the forefront in shaping a global, digital standard for privacy and data protection which centers on the rights of the individual.” Buttarelli stressed that in the context of global technological changes, “the EU has to make existing data protection rights more effective in practice, and to allow citizens to more easily exercise their rights.”

On January 1, 2015, Finland’s Information Security Code (2014/ 917, the “Code”) became effective. The Code introduces substantial revisions to Finland’s existing electronic communications legislation and consolidates several earlier laws into a single, unified text. Although many of these earlier laws remain unchanged, the Code includes extensive amendments in a number of areas.

On January 27, 2015, the Federal Trade Commission announced the release of a report on the Internet of Things: Privacy and Security in a Connected World (the “Report”). The Report describes the current state of the Internet of Things, analyzes the benefits and risks of its development, applies privacy principles to the Internet of Things and discusses whether legislation is needed to address this burgeoning area. The Report follows a workshop by the FTC on this topic in November 2013.

On January 28, 2015, the German conference of data protection commissioners hosted a European Data Protection Day event called Europe: Safer Harbor for Data Protection? – The Future Use of the Different Level of Data Protection between the EU and the US.

On February 11, 2015, the International Association of Privacy Professionals Australian New Zealand (“iappANZ”) will host a discussion on the risk-based approach to privacy in Sydney, Australia. Richard Thomas, Global Strategy Advisor for the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”), will present the Centre’s contributions to this topic including the outcomes from the workshops held in Paris and Brussels. Other guest speakers include Timothy Pilgrim, Australian Privacy Commissioner; Dr. Elizabeth Coombs, New South Wales Privacy Commissioner; and Olga Ganopolsky, General Counsel of Privacy and Data at Macquarie Group Limited. Together, they will discuss the benefits and challenges of a risk-based approach and the implications for businesses and regulators.

On January 21, 2015, the Federal Trade Commission announced that the U.S. District Court for the Central District of Illinois granted partial summary judgment on December 12, 2014, to the federal government in its action against Dish Network LLC (“Dish”), alleging that Dish violated certain aspects of the Telemarketing Sales Rule (“TSR”) that restrict placing calls to numbers on the National Do-Not-Call Registry and an entity’s internal Do-Not-Call list. The federal government is joined in the action against Dish by four state attorneys general alleging violations of the Telephone Consumer Protection Act and certain state laws related to telemarketing.

On January 12, 2015, the European Union Agency for Network and Information Security (“ENISA”) published a report on Privacy and Data Protection by Design - from policy to engineering (the “Report”). The “privacy by design” principle emphasizes the development of privacy protections at the early stages of the product or service development process, rather than at later stages. Although the principle has found its way into some proposed legislation (e.g., the proposed EU General Data Protection Regulation), its concrete implementation remains presently unclear. Hence, the Report aims to promote a discussion on how the principle can be implemented concretely and effectively with the help of engineering methods.

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.

On January 5, 2015, the State Administration for Industry and Commerce of the People’s Republic of China published its Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers (the “Measures”). The Measures contain a number of provisions defining circumstances or actions under which enterprise operators may be deemed to have infringed the rights or interests of consumers. These provisions are consistent with the basic rules in the currently effective P.R.C. Law on the Protection of Consumer Rights and Interests (“Consumer Protection Law”). The Measures will take effect on March 15, 2015.