Privacy & Information Security Law Blog

On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial Transactions” (“Section 105(a)”). The court ruled that (1) a ZIP code constitutes personal identification information under the Massachusetts law; (2) a plaintiff may bring an action for a violation of the Massachusetts law absent identity fraud; and (3) the term “credit card transaction form” refers equally to electronic and paper transaction forms. The Massachusetts court’s determination that a ZIP code constitutes personal identification information is similar to the determination in Pineda v. Williams-Sonoma Stores, Inc., in which the California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act. More than 15 states, including Massachusetts and California, have statutes limiting the type of information that retailers can collect from customers.

On February 20, 2013, the UK Court of Appeal issued its decision in Smeaton v Equifax Plc, [2013] EWCA Civ 108, overturning an award of damages to an individual about whom a credit reference agency had maintained an inaccurate record.

On March 8, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

On March 7, 3013, Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, provided testimony to the International Trade Commission at a hearing on “Digital Trade in the U.S. and Global Economies.” The ITC is investigating digital trade issues, including how privacy law may act as an impediment to international digital trade.

In his testimony, Abrams outlined how privacy and data protection law affect digital trade, addressing issues such as the legal obstacles to big data and analytics and how data protection law creates barriers to ...

On March 5, 2013, the French Data Protection Authority (the “CNIL”) announced that the French High Council for Statutory Auditors (“H3C”) and the U.S. Public Company Accounting Oversight Board (“PCAOB”) signed a Statement of Protocol (the “Protocol”) on January 31, 2013, to govern the exchange of information, including personal data, between them.

The French Data Protection Authority (the “CNIL”) reports that in late January 2013, representatives of the Article 29 Working Party and the Asia-Pacific Economic Cooperation group (“APEC”) met in Jakarta, Indonesia, to discuss interoperability between EU Binding Corporate Rules and APEC Cross-Border Privacy Rules governing international data transfers. The U.S. Department of Commerce also is participating in the process to develop a roadmap for future progress toward establishing tools companies can use to facilitate true interoperability ...

On March 6, 2013, the French Data Protection Authority (the “CNIL”) announced that it launched a consultation of relevant private and public actors for the purpose of determining whether the CNIL should adopt an initiative on “Open Data.”

Two recently-published German court decisions have clarified German employee data protection law. The decisions validate the independence of works councils in determining how to comply with data protection law and clarify when unused employee email accounts can be deleted.

On March 1, 2013, the German Federal Council (Bundesrat) passed a new registration law after insisting on a number of important amendments (in German). Among other issues covered in the bill, the new law regulates how businesses can obtain the registered addresses of individuals in Germany from Germany’s public authorities (“official address data”) and use that information for commercial purposes.

On February 27, 2013, the Article 29 Working Party (the “Working Party”) issued a statement on the European Commission’s proposed revised data protection framework (“Statement”), including the proposed General Data Protection Regulation (“Proposed Regulation”). The Working Party offered amendments to the Proposed Regulation in the form of two Annexes to the Statement on the topics of competence and lead data protection authority (“DPA”) and the exemption for household or personal activities.