Privacy & Information Security Law Blog

As policymakers around the world consider revisions to existing privacy and data protection law, they often refer to “interoperability” as a mechanism to facilitate the flow of data across national and regional borders. Reports released this year by the Obama Administration and the Federal Trade Commission recognize the value of interoperability to the growth of the digital economy and improving privacy compliance. Principles underlying the APEC framework would support a system for transferring data across APEC economies, and the OECD has acknowledged that regulatory authorities worldwide share the responsibility of promoting the protection of cross-border data flows. But although interoperability is expected to help lower barriers to data transfers, simplify compliance and protect individuals’ rights, there has been little discussion of how interoperability would work in practice.

On June 7, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion analyzing the exemptions to the prior opt-in consent requirement for cookies. Although the Opinion focuses on cookies, the Working Party also notes that the same analysis applies to any technology allowing information to be stored or accessed on a user’s computer or mobile device.

On June 12, 2012, the Federal Trade Commission announced a settlement agreement with data broker Spokeo, Inc. (“Spokeo”). The FTC alleged that Spokeo operated as a consumer reporting agency and violated the Fair Credit Reporting Act (“FCRA”), and that certain of its advertisements were deceptive in violation of Section 5 of the FTC Act. The proposed settlement order imposes a $800,000 civil penalty on Spokeo and prohibits future violations of the FCRA. This is the first FTC case to address the sale of Internet and social media data in the employment screening context.

On May 24, 2012, Hunton & Williams LLP and Jordan Lawrence Group hosted a webcast on “Preparing for a New U.S. Privacy Landscape: An Overview of the FTC and White House Frameworks.” The webcast featured Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams, Aaron P. Simpson, partner at Hunton & Williams, and Rebecca Perry, Executive Vice President of Professional Services of Jordan Lawrence Group.

Hunton & Williams LLP is pleased to announce its 2012 top rankings from Chambers and Partners and The Legal 500: United States. The firm consistently has maintained its number one ranking in both surveys for its Privacy and Data Security practice.

On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital agreed to a consent judgment and $750,000 payment to settle a lawsuit stemming from a data breach that occurred in February 2010. At that time, South Shore Hospital shipped several boxes of unencrypted back-up tapes to a service provider in Texas to erase them. The tapes contained the personal and protected health information of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers and medical diagnoses. Several of the boxes went missing and have yet to be recovered, though there is no evidence that the information on the missing tapes has been misused.

On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.

On June 1, 2012, the Attorney General of Vermont announced a series of recent legislative moves to enhance the state’s consumer protection laws, including amendments to Vermont’s security breach notification law. The changes, which were signed into law by Governor Peter Shumlin in early May, include a revised definition of “security breach,” the addition of a 45-day timing requirement for notifying affected consumers, and a requirement to notify the state Attorney General within 14 days of discovering the breach (or when notifying consumers, if sooner).

On May 24, 2012, the German Federal Government submitted to the Parliament (Bundestag) a proposal to amend the Geodatenzugangsgesetz, a federal law concerning access to geographical data that has been in force since 2009.

The current law implements Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (“INSPIRE”). In addition to establishing a national geographical data infrastructure, the law aims to provide a legal framework for (1) accessing geographical data, geographical data services and metadata of organizations that maintain such data, and (2) using such data and services, in particular with regard to measures that may affect the environment. The law applies to federal agencies and corporations under public law.

In recent months, two high-profile cases involving Hulu and Netflix have raised questions regarding the scope and application of the Video Privacy Protection Act (“VPPA”), a federal privacy law that has been the focus of increasing attention over the past few years. In the Hulu case, Hulu users claimed that the subscription-based video streaming service disclosed their viewing history to third parties.