Time 2 Minute Read

On October 7, 2010, the French Data Protection Authority (the “CNIL”) released its first comprehensive handbook on the security of personal data (the “Guidance”).  The Guidance follows the CNIL’s “10 tips for the security of your information system” issued on October 12, 2009, which were based on the CNIL’s July 21, 1981 recommendations regarding security measures applicable to information systems.

The Guidance reiterates that data controllers have an obligation under French law to take “useful precautions” given the nature of the data and the risks associated with processing the data, to ensure data security and, in particular, prevent any alteration or damage, or access by non-authorized third parties (Article 34 of the French Data Protection Act).  Failure to comply with this requirement is punishable by up to five years imprisonment or a fine of €300,000.

Time 1 Minute Read

On September 28, 2010, the German Federal Office for Information Security, (the Bundesamt für Sicherheit in der Informationstechnik or “BSI”) released a draft framework paper on information security issues related to cloud computing.  The draft paper defines minimum security requirements for cloud solution service providers, and provides a basis for discussions between service providers and users.  The paper addresses the following issues:

  • The definition of cloud computing
  • Service provider security management requirements
  • ID and rights management
  • Monitoring and security incident response
  • Emergency management
  • Security checks and verification
  • Requirements for personnel
  • Transparency
  • Organizational requirements
  • User control
  • Portability of data and applications
  • Interoperability
  • Data protection and compliance
  • Cloud certification
  • Additional requirements for public cloud service providers that support cloud solutions for the Federal Administration
Time 2 Minute Read

On October 4, 2010, the French Data Protection Authority (the “CNIL”) stated in a press release that a recently enacted environmental law (Act No. 2010-788 of July 12, 2010, known as “Grenelle II”) expands the CNIL’s authority to regulate devices used to measure the viewership of advertisements in public places like shopping malls, train stations and airports.  Grenelle II introduces a new provision under Article L. 581-9 of the French Environmental Code, which states: “Any system that automatically measures the audience of an advertising device or which analyzes the typology or behavior of individuals passing within the vicinity of such advertising device requires prior approval of the CNIL.”

Time 2 Minute Read

On October 8, 2010, the UK Information Commissioner’s Office launched a consultation on a new statutory code of practice on the sharing of personal data.

As stated in the ICO’s press release, the draft code sets out a model of good practice, covering routine and one-off arrangements for sharing data with third parties.  The code offers guidance on issues such as:

  • The factors that an organization must take into account when deciding whether or not to share personal data
  • The point at which individuals should be told that their data will be shared
  • The security and staff training measures that must be implemented
  • The rights of individuals to access their personal data
  • Circumstances in which it is not acceptable to share personal data
Time 2 Minute Read

On September 14, 2010, a French Appeals Court in Dijon (the “Court”) upheld a decision against an employer that had terminated an employee who not only used a company car for personal reasons, but also committed serious traffic violations while using the vehicle.  The Court rejected evidence collected using a Global Positioning System (“GPS”) device embedded in the company’s vehicle on the grounds that the employer (1) had failed to register this data processing activity with the French Data Protection Authority (the “CNIL”) and (2) had not given proper notice to employees regarding the use of GPS devices in company cars.  Nevertheless, the Court ruled that the use of a geolocation device in the employment context does not necessarily constitute an invasion of an employee’s right to privacy, provided the employer complies with applicable laws.

Time 3 Minute Read

On September 29, 2010, the Centre for Information Policy Leadership (the “Centre”) hosted a pre-conference workshop at the International Association of Privacy Professionals (”IAPP”) Privacy Academy in Baltimore, Maryland.  The tutorial “Accountability on the Ground,” led by Centre Executive Director Marty Abrams, offered practical guidance on the subject of accountability.  The workshop, which featured presentations by Centre member companies, discussed in-depth examples of how organizations can implement an accountability program.

Time 2 Minute Read

According to a press report dated October 2, 2010, the German state data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) continue to consider the use of Google Analytics on company websites to be illegal.  The Düsseldorfer Kreis reached this decision at a recent meeting of its Telemedia working group.  The group has indicated that it hopes to continue negotiations with Google.  Dr. Alexander Dix, the Berlin Commissioner for Data Protection and Freedom of Information who was interviewed on this issue, stated that although ...

Time 4 Minute Read

On August 25, 2010, the German government approved a draft law concerning special rules for employee data protection, originally proposed by the Federal Ministry of the Interior.  A background paper on the draft law was published on August 25, 2010.  The draft law would amend the German Federal Data Protection Act (the Bundesdatenschutzgesetz or “BDSG”) by adding provisions that specifically address data protection in the employment context.  Currently, employee data protection is regulated by (1) general provisions in the BDSG, (2) the new Section 32 of the BDSG introduced by the most recent reform in September 2009, (3) the Works Constitution Act, (4) guidance from state data protection authorities, and (5) comprehensive case law from federal and local labor courts.

Time 3 Minute Read

The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010.  Some highlights from the comments are outlined below.

Enforcement Rule

The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional.  According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective.  The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”

Time 2 Minute Read

The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.

Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website.  The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page