Privacy & Information Security Law Blog

On October 5, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion providing further input on the recent data protection reform discussions in the EU. The Opinion follows the Working Party’s first Opinion on the EU data protection reform proposals issued on March 23, 2012.

The absence of congressional action on cybersecurity legislation has spurred efforts by various entities to exert influence over cybersecurity policy. This client alert focuses on some of those efforts, including the Federal Energy Regulatory Commission’s (“FERC’s”) creation of a new cybersecurity office, North American Electric Reliability Corporation (“NERC”) action on cybersecurity Critical Infrastructure Protection (“CIP”) standards, continuing legislative developments concerning cybersecurity and anticipated White House executive orders on cybersecurity.

On October 4, 2012, the Federal Trade Commission announced that Artist Arena LLC (“Artist Arena”), an operator of fan websites for several popular recording artists, agreed to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule (“the Rule”) by improperly collecting personal information from children under the age of 13 without first obtaining verifiable parental consent. The settlement will impose a $1 million penalty on Artist Arena, bar future violations of the Rule and require deletion of the information collected in violation of the Rule.

As reported in the Hunton Employment & Labor Perspectives Blog:

Employees use social media extensively in communication for personal and business reasons. Employers are increasingly monitoring this use, and insisting on access to some of the more popular sites. California took notice of this trend and passed legislation to protect employee privacy. On September 27, 2012, Governor Edmund G. Brown Jr. signed AB 1844 making California the third state to limit access to employees’ social media account, joining Maryland and Illinois.

On September 22, 2012, the Peruvian Ministry of Justice and Human Rights issued a draft regulation to implement Peru’s new Personal Data Protection Law. The comment period expires on October 5, 2012; however, the U.S. Department of Commerce’s International Trade Administration has requested an extension to allow additional time for comments. The Centre for Information Policy Leadership at Hunton & Williams LLP is considering high-level comments on the draft regulation. It is thought that Peru may intend to issue the final regulation prior to the 34th International ...

On September 27, 2012, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), together with the German Federal Commissioner for Data Protection, published a guide on traffic data retention. The guide, which is aimed at telecom providers, includes a comprehensive chart that clarifies data retention periods for different types of services, such as telephone, SMS, Internet and email, and their respective types of traffic data (e.g., mobile identification numbers, IP addresses and International Mobile Equipment Identity data) based on the purposes for the data storage.

On September 27, 2012, the European Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission’s strategy is outlined on a new webpage that includes a communication document and a more detailed staff working paper.

On September 25, 2012, the Federal Trade Commission announced that it had settled a case involving allegations of spying by software company DesignerWare, LLC (“DesignerWare”) and several rent-to-own companies that rent computers to consumers, such as Aaron’s, Inc., ColorTyme, Inc., and Premier Rental Purchase. The FTC collaborated with Illinois Attorney General Lisa Madigan in its investigation.

As reported in the Hunton Employment & Labor Perspectives Blog:

On September 20, 2012, Administrative Law Judge Clifford H. Anderson struck down telecommunications company EchoStar Corporation’s policy prohibiting employees from making disparaging comments about it on social media sites. The National Labor Relations Board (“NLRB”) judge found that the prohibition, as well as a ban on employees using social media sites with company resources or on company time, chilled employees’ exercise of their rights under Section 7 of the National Labor Relations Act (“NLRA”). The EchoStar decision comes on the heels of the NLRB’s recent ruling striking down Costco Wholesale Corporation’s policy barring employees from posting statements online that were harmful to the company’s reputation.

On September 27, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on complying with the requirements of the UK Data Protection Act 1998 (“DPA”) in the context of cloud computing services (the “Guidance”). In its Guidance, the ICO reminds data controllers that transferring personal data to the cloud does not absolve them of their compliance obligations under the DPA.