Privacy & Information Security Law Blog

On October 27, 2013, the South Korean Ministry of Security and Public Administration indicated that the government will issue certifications to private and public organizations that meet certain requirements of the Personal Information Protection Act. According to The Korea Times, organizations will be able to apply for the certification with the National Information Society Agency (“NISA”) beginning on November 28, 2013. The number of requirements that an organization will be assessed against will depend on the size of the organization. The Korea Times reports ...

As we reported on October 8, 2013, the Information Commissioner’s Office (“ICO”) has announced it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. In anticipation of the November 30^th closing date for comments on the Code, today the ICO’s Head of Policy Delivery posted a request for feedback on the ICO’s blog.

On November 26, 2013, Kazakhstan’s new data privacy law, On Personal Data and Their Protection, will come into effect. The law was passed on May 21, 2013. Kazakhstan is the second country in Central Asia to enact a data privacy law, joining the Kyrgyz Republic, which passed the Law on Personal Data in 2008.

On November 2, 2013, Hunton & Williams partner Paul M. Tiao was featured on the Voice of America discussing the importance of the National Security Agency restoring trust among industry and foreign government allies. In the feature, “Next NSA Chief to Face Challenges, Change,” Tiao talked about some of the difficulties that will confront the NSA Director’s successor, and why government surveillance is likely to continue.

On October 25, 2013, the Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests (the “Amendment”). The Amendment, which was adopted after three readings and will take effect on March 15, 2014, adds provisions designed to respond to the recent boom in online shopping and focuses on improving protections in the area of consumer rights and interests by:

On October 22, 2013, the Federal Trade Commission announced a proposed settlement with Aaron’s, Inc. (“Aaron’s”) stemming from allegations that it knowingly assisted its franchisees in spying on consumers. Specifically, the FTC alleged that Aaron’s facilitated its franchisees’ installation and use of software on computers rented to consumers that surreptitiously tracked consumers’ locations, took photographs of consumers in their homes, and recorded consumers’ keystrokes in order to capture login credentials for email, financial and social media accounts. The FTC had previously settled similar allegations against Aaron’s and several other companies.

On October 22, 2013, the National Institute of Standards and Technology (“NIST”) issued the Preliminary Cybersecurity Framework (the “Preliminary Framework”), as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Preliminary Framework includes standards, procedures and processes for reducing cyber risks to critical infrastructure. It will be published in the Federal Register within a few days for public comment. Under the Executive Order, NIST is required to issue a final version of the Framework in February 2014. NIST is planning to host a public workshop on the Preliminary Framework in mid-November to give industry and other groups an opportunity to provide their views on this document.

On October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). The approval follows months of negotiations between the various parliamentary committees. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) has been in charge of working toward an agreement on the Compromise Text in the European Parliament.

On October 19, 2013, the Center for Internet and Society (“CIS”), the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India held a Privacy Roundtable in New Delhi, the last in a series of roundtables that began in April 2013. The events were designed to elicit comments on a draft Privacy Protection Bill, proposed legislation for a privacy and personal data protection regime in India. The law would regulate the collection and use of personal data in India, as well as surveillance and interception of communications.

On October 12, 2013, California Governor Jerry Brown vetoed an electronic communications privacy bill. The bill, SB 467, would have compelled law enforcement to obtain a search warrant before seeking to access any email or other electronic communication maintained by service providers. The bill went beyond the scope of the federal Electronic Communications Privacy Act, which obligates law enforcement to obtain search warrants only for electronic communications that are unopened or stored by service providers for fewer than 180 days. The California bill was very similar to a bill signed into law in Texas earlier in 2013 that required law enforcement agencies to obtain warrants before accessing customer electronic data held by email service providers.