Privacy & Information Security Law Blog

On June 24, 2011, the U.S. Department of Commerce’s International Trade Administration released a PowerPoint presentation on Mexico’s new private sector data protection law that was shared at a meeting of the OECD Working Party on Information Security and Privacy by Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (“IFAI”).  The presentation provides guidance on the creation of privacy notices and establishment of self-regulatory schemes, and also outlines the responsibilities of the Ministry of Economy and the IFAI ...

Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada.  As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology.  According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.

On June 23, 2011, in a 6-3 decision, the United States Supreme Court ruled in IMS Health Inc. v. Sorrell that a Vermont law prohibiting the sale of prescriber-identifiable data to drug companies was an unconstitutional violation of the First Amendment right to free speech.  Thomas Julin, a partner at Hunton & Williams LLP, represented IMS Health in this case.  The Supreme Court’s ruling affirmed the holding of the U.S. Court of Appeals for the Second Circuit, resolving a split with the First Circuit (which upheld a similar law in New Hampshire), and likely preventing the enactment of similar restrictive laws across the country.

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

On June 20, 2011, Malaysia’s Bernama News Agency reported that the Malaysian Ministry of Information, Communication and Culture will establish a government department to facilitate the implementation of Malaysia’s new Personal Data Protection Act.  Malaysia passed the Personal Data Protection Act in 2010, but the law has yet to go into effect.  According to the report, enforcement of the Act is scheduled for early next year.

On June 14, 2011, the PCI Security Standards Council’s Virtualization Special Interest Group published its “Information Supplement: PCI DSS Virtualization Guidelines”(the “Guidelines”) to Version 2.0 of the PCI Data Security Standard (“PCI DSS”).  The Guidelines provide context for the application of the PCI DSS to cloud and other virtual environments, and offer at least three critical reminders:

• the PCI DSS applies to cloud environments without exception; 
• critical analysis of the application of the PCI DSS to rapidly evolving cloud offerings is essential to compliance; and
• cloud providers must be prepared to document and contract for necessary controls.

As reported in Hunton & Williams' Employment & Labor Perspectives blog, two unfair labor practice complaints recently issued by National Labor Relations Board regional offices in Buffalo and Chicago illustrate how closely the NLRB is scrutinizing employers’ termination decisions that are allegedly related to statements employees made on social media.  Read the full entry.

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.

As reported yesterday, on June 16 and 17, 2011, the Hungarian Presidency of the Council of the European Union hosted a high-level international data protection conference in Budapest.  The following are some highlights from the second day’s events:

• During the “New principles in the field” panel, Professor Paul De Hert of the Vrije Universiteit Brussel gave an explanation of the case I v. Finland, which was decided by the European Court of Human Rights on July 17, 2008, and which both he and European Data Protection Supervisor Peter Hustinx agreed was a key document for the concept of accountability in European data protection law.  Endre Szabó of the Hungarian Ministry of Public Administration and Justice noted that the principle of accountability had not yet been fully accepted by all members of the European Council.

Two former employees of mobile phone provider T-Mobile have been ordered by a court in the United Kingdom to pay £73,700 (approximately $120,000) for the theft of T-Mobile customers’ personal data.  The Chester Crown Court ordered David Turley and Darren Hames to pay £45,000 and £28,700 respectively, under confiscation orders, along with prosecution costs.