Privacy & Information Security Law Blog

On September 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the first webcast in its new Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation, recent Safe Harbor issues from both European and American perspectives, and cybersecurity developments on both sides of the Atlantic.

Hunton Global Privacy Update sessions are 30-minutes in length and are scheduled to take place every two months.

On September 9, 2013, the Organization for Economic Cooperation and Development (“OECD”) published its revised guidelines governing the protection of privacy and transborder flows of personal data (the “Revised Guidelines”), updating the OECD’s original guidelines from 1980 that became the first set of accepted international privacy principles.

On August 30, 2013, following the effort by the People’s Republic of China to establish a Consumer Rights Protection Bureau in 2012, the China Banking Regulatory Commission (the “CBRC”) issued a document entitled “Guidance for the Banking Sector on the Protection of the Rights of Consumers” (the “Guidance”). Among other things, the Guidance re-emphasizes the principle of protecting personal financial information. Banking institutions are required (1) to take effective measures to protect consumers’ personal financial information; (2) not to modify or illegally use consumers’ personal financial information; and (3) to prevent the disclosure of consumers’ personal financial information to any third party without the relevant consumers’ authorization or consent.

As reported in the Hunton Employment & Labor Perspectives Blog:

The U.S. District Court for the District of New Jersey recently ruled that non-public Facebook wall posts are protected under the Federal Stored Communications Act (the “SCA”) in Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-CV-3305 (WMJ) (D.N.J. Aug. 20, 2013). The plaintiff was a registered nurse and paramedic at Monmouth-Ocean Hospital Service Corp. (“MONOC”). She maintained a personal Facebook profile and was “Facebook friends” with many of her coworkers but none of the MONOC managers. She adjusted her privacy preferences so only her “Facebook friends” could view the messages she posted onto her Facebook wall. Unbeknownst to the plaintiff, a coworker who was also a “Facebook friend” took screenshots of the plaintiff’s wall posts and sent them to a MONOC manager. When the manager learned of a wall post in which the plaintiff criticized Washington, D.C. paramedics in their response to a museum shooting, MONOC temporarily suspended the plaintiff with pay and delivered a memo warning her that the wall post reflected a “deliberate disregard for patient safety.” The plaintiff subsequently filed suit alleging violations of the SCA, among other claims.

On September 9, 2013, the Federal Trade Commission announced that it is seeking public comment on another proposed mechanism (submitted by Imperium, LLC) to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. This announcement follows on the heels of a similar recent announcement that the Commission is seeking public comment on a parental consent mechanism proposed by a different company.

On September 5, 2013, the 16 German state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information (the “DPAs”) passed a resolution concerning recent revelations about the PRISM, Tempora and XKeyscore surveillance programs.

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published guidance for companies receiving unwanted marketing (the “Guidance”). This Guidance was published as part of a broader focus on unwanted marketing in the UK.

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published new guidance on direct marketing (the “Guidance”). The Guidance explains the application of the two principal legislative instruments that affect direct marketing in the UK: (1) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which relates specifically to direct marketing; and (2) the Data Protection Act 1998 (the “DPA”), which governs data protection issues generally. The Guidance is not legally binding, but it reflects the ICO’s interpretation of the requirements and indicates how the ICO is likely to enforce them.

On September 4, 2013, California state legislators passed an amendment to the state’s breach notification law. The bill, SB 46, would expand notification requirements to include security incidents involving the compromise of personal information that would permit access to an online or email account. Pursuant to SB 46, the definition of “personal information” contained in Sections 1798.29 and 1798.82 of California’s Civil Code would be amended to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Notably, the compromise of these data elements alone  ̶  even when not in conjunction with an individual’s first name or first initial and last name  ̶  would trigger a notification obligation under the amended law. In addition, the bill does not limit the data elements that constitute “personal information” to those that would permit access to an individual’s financial account.

Recent news reports regarding the alleged purchase of personal information by a corporate investigative service firm in Shanghai have raised questions about the possibility of obtaining information about domestic Chinese companies from government corporate registration agencies.