Privacy & Information Security Law Blog

On August 6, 2013, the Obama Administration posted links on The White House Blog to reports from the Departments of Commerce, Homeland Security and Treasury containing recommendations on incentivizing companies to align their cybersecurity practices with the Cybersecurity Framework. These reports respond to the Administration’s February 2013 executive order entitled Improving Critical Infrastructure Cybersecurity (the “Executive Order”).

The American Bar Association Journal is compiling a list of the 100 best legal blogs of 2013 and readers are invited to submit nominations. We would appreciate you showing your support by submitting a nomination for Hunton & Williams’ Privacy and Information Security Law. PR News named Hunton & Williams’ Privacy Blog the Best Legal PR Blog of 2011.

Submissions will be accepted through this Friday, August 9, so please vote now!

On August 6, 2013, the UK Information Commissioner’s Office (“ICO”) opened a new consultation on a draft code of practice on conducting privacy impact assessments (the “Code”).

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On April 19, 2013, the North Dakota legislature amended the state’s breach notification law (Section 51-30-01 of the North Dakota Century Code) to expand the definition of “personal information” to include “health insurance information” and “medical information.” Pursuant to the amended breach law, “health insurance information” is defined to mean an “individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” “Medical information” is defined to mean “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” The amendment also carves out an exemption for covered entities, business associates and subcontractors that are subject to the breach notification requirements of 45 C.F.R. 164, Subpart D.

On July 26, 2013, the Federal Trade Commission announced updates to its frequently asked questions regarding the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The updated FAQs, which have replaced the June 2013 version on the FTC’s Business Center website, provide additional information in the sections addressing websites and online services directed to children and disclosure of information to third parties.

On July 16, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) issued a new rule entitled Provisions on the Registration of Real Identity Information of Telephone Users (the “Provisions”), which will take effect on September 1, 2013. The Provisions were issued pursuant to the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (the “Resolution”) and the Telecommunications Regulations of the People’s Republic of China. In April 2013, the MIIT issued a draft of the Provisions and solicited public comment.

On July 25, 2013, the U.S. Department of Commerce’s National Telecommunications and Information Administration announced the release of the Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices, which was developed through the Privacy Multistakeholder Process: Mobile Application Transparency convened by the Department of Commerce. The voluntary Code of Conduct provides guidance regarding short-form notices about the collection and sharing of consumer information with third parties. Short-form notices that comply with the Code of Conduct generally must contain the following content:

On July 16, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) issued a new rule entitled Provisions on the Protection of Personal Information of Telecommunications and Internet Users (the “Provisions”). The Provisions, which will take effect on September 1, 2013, are intended to implement the general requirements set forth in last December’s Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (the “Resolution”). The Provisions are the first specific regulations concerning personal information protection by telecommunications service providers in China.

On July 22-23, 2013, the APEC E-Commerce Business Alliance and the China International Electronic Commerce Center, a subsidiary organization of the Ministry of Commerce of the People’s Republic of China, held a seminar in Beijing entitled Workshop on the Online Data Privacy Protection in APEC Region. In addition to delegates from Mainland China, representatives from numerous other jurisdictions were in attendance, including the United States, the United Kingdom, Malaysia, Vietnam, South Korea, Hong Kong and Taiwan.