Privacy & Information Security Law Blog

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

As reported in BNA’s Privacy & Security Law Report,on June 25, 2012, a federal district court in California ruled that the California Supreme Court’s 2011 Pineda decision, which held that requesting and recording zip codes during credit card transactions violates the state’s Song-Beverly Credit Card Act, applies retrospectively to OfficeMax’s collection of zip codes from its customers. The Plaintiffs in Dardarian v. OfficeMax had filed a class action lawsuit against OfficeMax over the company’s collection of ZIP code information from customers at the point of sale, a practice that OfficeMax ended the day the Pineda decision was handed down.

On July 19, 2012, California Attorney General Kamala Harris announced the formation of a new Privacy Enforcement and Protection Unit (“Privacy Unit”) within the state’s Department of Justice. The new unit will centralize existing Department of Justice efforts to protect privacy, educate consumers and forge partnerships with relevant industry players. According to the Attorney General’s press release, the broad mission of the Privacy Unit will include enforcing laws on issues such as cyber privacy, health privacy, financial privacy, identity theft, government ...

Lisa Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams, was interviewed on July 18, 2012 about her participation in the USAID-funded Judicial Reform and Government Accountability Project’s initiative to educate and provide data protection awareness to the Serbian government. As we reported last week, Sotto was invited to Belgrade to assist Rodoljub Sabic, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, and the JRGA Project. Sotto, who also is Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, spent last week advising the Commission on steps to enhance Serbia’s data protection framework.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce initiated a multistakeholder process to develop guidance for transparency in the mobile environment. The NTIA has announced that they will schedule a second meeting in August, and encouraged small group discussions in the interim. This is not the first multistakeholder process to wrestle with transparency in the mobile environment, and those previous efforts – which date back almost a decade – may prove useful to such discussions.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce convened the first meeting of its multistakeholder process to develop industry codes of conduct. As we reported in June, the stated purpose for this meeting, entitled “Seeking Common Ground Regarding Mobile Application Transparency,” was to establish “a working dialogue that will eventually lead to a code of conduct that is broadly adopted.” Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, opened the session, which he characterized as an effort to highlight the key issues and explore topics to be addressed. Strickling emphasized that the structure and approach to the work would likely differ from that with which participants were familiar, and that it would be important to arrive at a constructive process that encourages collaboration and open engagement.

On June 27, 2012, the Hong Kong Legislative Council passed a bill to amend the Personal Data (Privacy) Ordinance (the “Ordinance”). The amendment will become effective in phases. Most provisions will become effective on October 21, 2012, and the others will take effect on a day to be announced by publication in the Hong Kong Government Gazette.

In a July 9, 2012 press release issued by Rodoljub Sabic, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, the Commissioner commented on his meeting with Hunton & Williams’ Lisa Sotto, who was invited to Serbia by the Commissioner and the USAID-funded Judicial Reform and Government Accountability Project to provide advice and education on data protection issues.

In June, China’s National Internet Information Office and its Ministry of Industry and Information Technology jointly published draft amendments to the Regulation on Internet Information Services (the “Regulation”). The amendments update the Regulation to cover new issues related to the rapid development of Internet services in China since the Regulation first took effect on September 25, 2000. Although the Regulation originally contained no specific provisions directly pertaining to the protection of personal information, the draft amendments do address personal information protection issues.

The Department of Health and Human Services Office for Civil Rights (“OCR”) has posted an audit protocol on its website to provide information about the procedures currently being used by OCR as part of its new audit program.

The protocol is presented in a sortable table format listing the applicable sections of the relevant rules and the established performance criteria, key activities and audit procedures associated with each section. The audit protocol for the HIPAA Security Rule also lists whether the implementation specification is required or addressable pursuant to that Rule.