Privacy & Information Security Law Blog

In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.

In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.

Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.

On January 26, 2012, the German Data Protection Commissioners (“DPAs”) of the federal states Rhineland-Palatinate and Hesse held a joint press conference to present their views on the European Commission’s legislative proposal for a comprehensive reform of current EU data protection rules. The day before, the European Commission proposed replacing the existing EU Data Protection Directive 95/46/EC with a Regulation that would be directly applicable in all European Member States and therefore not require implementing legislation on the national level.

On January 25, 2012, the European Commission released a data protection law reform package, including its proposed General Data Protection Regulation (the “Proposed Regulation”). The UK Information Commissioner’s Office (“ICO”) has reacted positively to the Proposed Regulation, in particular commending efforts to strengthen the rights of individuals, the recognition of important privacy concepts such as privacy by design and privacy impact assessments, and new accountability requirements to ensure organizations properly demonstrate and document their data protection safeguards and procedures.

On January 24, 2011, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein announced that they had reached an Assurance of Voluntary Compliance (“AVC”) with Metropolitan Life Insurance Co. (“MetLife”) in connection with an incident involving the disclosure of customer personal information on the Internet. In November 2009, a MetLife employee posted the personally identifiable information of current and former MetLife customers, including their Social Security numbers, on the Internet. Following the discovery of the posting, MetLife acted to mitigate possible harm by providing credit monitoring and identity theft insurance to the affected customers.

On January 12, 2012, Hunton & Williams hosted an hour-long webinar on the current enforcement environment in the U.S. and EU. The webinar, Current Trends in Global Privacy Enforcement, covered issues ranging from the Federal Trade Commission’s tougher approach to investigations to increased monitoring of corporate privacy practices by European data protection authorities. Hunton & Williams speakers included Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, London partner Bridget Treacy, London senior attorney Rosemary Jay and Brussels ...

On December 28, 2011, UK Information Commissioner Christopher Graham outlined the ICO’s agenda for 2012 in a post on the ICO blog, highlighting the European Commission’s proposals for reviewing the EU data protection framework, the post-legislative scrutiny process with respect to the UK Freedom of Information Act (“FOIA”) and the ICO’s Information Rights Strategy. The Commissioner cautioned against allowing data protection compliance to fall by the wayside in the current, tough economic climate, especially given the inevitable reputational damage caused by big data breaches and the ICO’s power to impose fines.

As reported in BNA’s Privacy Law Watch, EU Member States are working on an overarching privacy framework agreement with the United States. The framework agreement, which may be used as a starting point for future negotiations, aims to reduce the amount of time and resources required to prepare new agreements between the European Union and the United States.

On January 25, 2012, the European Commission published its long-awaited legislative package to reform EU data protection rules. The package includes a regulation that covers data processing in the private sector and by public authorities and a directive covering data processing for criminal justice purposes, as well as a communication, a report on the protection of personal data processed in the framework of police and judicial cooperation, and an impact assessment with a summary.

On January 17, 2012, the European Commission initiated expedited infringement proceedings against Hungary over recent changes to its Constitution which are considered incompatible with EU law. The proceedings follow a number of changes made to the Hungarian Constitution that came into effect on January 1, 2012. Of particular concern to the Commission are amendments affecting the independence of the national data protection authority. The Hungarian government has one month to comply, or face enforcement proceedings in the European Court of Justice.