Privacy & Information Security Law Blog

On November 28, 2012, the UK Information Commissioner’s Office (“ICO”) issued monetary penalties totaling £440,000 to two owners of a marketing company that sent millions of unlawful spam SMS text messages over a period of three years.

On November 26, 2012, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published guidance on the two methods for de-identifying protected health information (“PHI”) in accordance with the HIPAA Privacy Rule. The guidance, which was required by the Health Information Technology for Clinical and Economic Health (“HITECH”) Act, has been developed over several years by OCR in collaboration with healthcare entities and other industry experts and builds upon the discussions from a workshop on de-identification that took place in March 2010.

On November 27, 2012, the International Chamber of Commerce of the United Kingdom (“ICC UK”) released the second edition of its cookie guidance (the “Guidance”). The ICC UK released the first edition of the Guidance in April of this year, and has produced this latest version to take into account updated guidance released by the UK Information Commissioner’s Office (“ICO”), the Article 29 Working Party Opinion 04/2012 on cookie consent exemption and new UK advertising rules on online behavioral advertising.

On November 19, 2012, 40 German advertising associations launched the “German Data Protection Council for Online Advertising,” a new initiative to coordinate and enforce self-regulation in the German online behavioral advertising (“OBA”) sector. The initiative is linked to the European Interactive Digital Advertising Alliance (“EDAA”), which manages the self-regulation efforts of the European online advertising industry.

On December 3, 2012, the Centre for Information Policy Leadership (the “Centre”) at Hunton & Williams will co-host a special International Association of Privacy Professionals (“IAPP”) KnowledgeNet meeting in Brussels, Belgium. The meeting will explore global developments in accountability in the context of the proposed EU Data Protection Regulation and the impact of accountability on data protection management.

Hunton & Williams is pleased to announce the firm maintained its top-tier “Band 1” ranking in Data Protection in the 2013 edition of Chambers UK. Our London-based principals also maintained their high rankings as leading Data Protection lawyers:

• Bridget Treacy, managing partner of the firm’s London office and head of the UK Privacy and Data Security practice, was ranked as a “Star Individual.”
• Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership at Hunton & Williams LLP, was ranked as a “Senior Statesman.”
• Rosemary Jay, a senior ...

In late October 2012, California Attorney General Kamala D. Harris began sending letters to approximately 100 mobile app operators, informing them that they are not in compliance with the California Online Privacy Protection Act (“CalOPPA”). Pursuant to CalOPPA, “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” must post a privacy policy that contains specified elements. A mobile app arguably could be an “online service” under CalOPPA, which provides that an online service operator that collects “personally identifiable information” and “fails to post its policy within 30 days after being notified of noncompliance” is in violation of CalOPPA. The law affects a wide range of mobile app operators because of its very broad definition of “personally identifiable information,” which includes any “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form,” such as a name, an email address or any other identifier “that permits the physical or online contacting of a specific individual.”

On November 16, 2012, European Data Protection Supervisor Peter Hustinx published an Opinion on the European Commission’s Communication on cloud computing (part of the Commission’s broader cloud computing strategy). The Opinion focuses on the accountability principle and emphasizes the importance of clearly defining the responsibilities of all parties involved in cloud computing, and analyzes specific cloud computing issues in the context of both the current EU data protection framework, as well as the proposed General Data Protection Regulation.

On November 15, 2012, the UK Office of Fair Trading (the “OFT”) launched a call for information to investigate whether offering “personalized pricing” based on data companies collect about consumers’ online behavior violates consumer protection legislation in the UK. The OFT will look at how companies gather data related to “consumers’ browsing history, purchases, demographic, hardware, operating system, etc and use this to personalise products and prices.” In particular, as indicated on the OFT’s website, the OFT will analyze:

On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on IT asset disposal for organizations (the “Guidance”) to explain “to data controllers what they need to consider when disposing of electronic equipment that may contain personal data.”