International

At a co-hosted event last week, Covington & Burling LLP and The George Washington University’s Cybersecurity Initiative released an issue brief on the growing threats of cyberespionage and trade secret theft and responses to address these threats.  The paper provides an overview of existing laws and policy reforms being considered

Continue Reading Covington and the George Washington University’s Cybersecurity Initiative Release Issue Brief on Cyberespionage and Trade Secret Theft

On 10 September 2013, the UK’s Information Commissioner (ICO) released new guidance on direct marketing.  The paper canvasses the marketing rules found in the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, with the aim of helping companies to comply with the law when engaging in direct marketing activities.  Those activities remain broadly understood, and include the delivery of all promotional materials, including those with only a small marketing element, materials promoting not-for-profits like charities or political parties as well as market research activities if their real purpose is promotional.  Direct marketing also encompasses traditional forms of marketing (e.g., telesales, mailshots) as well as newer methods (e.g., online marketing and social networking).  However, the ICO suggests that advertising not targeted at particular recipients, such as website advertising that appears the same to all site visitors, is not covered by the direct marketing rules.
Continue Reading The ICO Publishes New Guidance on Direct Marketing

The Organization for Economic Cooperation and Development (“OECD”) has revised its Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. The revision has been triggered by changes in personal data usage as well as new approaches to privacy protection since the adoption of the first Guidelines back in 1980, which were the first set of internationally agreed privacy principles. Whereas the eight basic principles of the 1980 Guidelines (namely the collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability principles) are maintained, the revised Guidelines introduce a number of new concepts and changes to the OECD privacy framework, implementing a risk based approach. These include: 

  • implementing privacy management programs – essential elements discussed in this respect include privacy policies, employee training and education, provisions for sub-contracting, audit process and privacy risk assessment;
  • introducing mandatory data security breach notification – requiring notification to the privacy enforcement authority where there is a significant security breach affecting personal data and notification to individuals where such a breach is likely to adversely affect individuals;
  • the need for privacy enforcement authorities and national privacy strategies – the revised Guidelines recognize the need to establish authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis; they also promote the development of a coordinated approach across governmental bodies up to the highest levels; Member countries should also consider complementary measures, including education and awareness raising, skills development and the promotion of technical measures;
  • improving global interoperability – to be improved through international arrangements (examples mentioned include the U.S.-EU Safe Harbor framework, the EU Binding Corporate Rules and the Council of Europe Convention 108 on the Automated Processing of Personal Data) and global cooperation among privacy enforcement authorities.

Continue Reading Revised OECD Privacy Guidelines Strengthen Accountability Principle

The Civil Liberties Committee (“LIBE”), the European Parliament’s lead committee for the proposed General Data Protection Regulation, is expected to vote on its preliminary position on the European Commission’s proposal on October, 21. LIBE has been struggling to reduce the large number of suggested amendments and, as a result, its

Continue Reading EU Parliament’s Lead Committee Will Vote on EU Data Protection Regulation in October

Under the so-called e-Privacy Directive, providers of publicly available electronic communications services (primarily telecom providers and ISPs) are obliged to notify the competent national authorities and, in certain cases also the subscribers and individuals concerned, of personal data breaches. In order to ensure consistency in the implementation of this notification obligation by the EU Member States the European Commission has adopted technical implementing measures in form of a Regulation No 611/2013 on the notification of personal data breaches in the electronic communication sector which entered into force on 25 August.

The Regulation, which has direct effect in all EU Member States, specifies the circumstances, the format and procedures applicable to these notification requirements under the e-Privacy Directive in case of personal data breaches (that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the EU).Continue Reading Data Breach Notification within 24 hours in the Electronic Communication Sector – An Example to Follow in the Reform of the EU Data Protection Directive?

By Eric Carlson & Scott Livingston

On August 27, 2013, state-run China Central Television broadcast a taped confession of detained British fraud investigator Peter Humphrey confessing to having used “illegal means” to obtain the personal information of Chinese citizens.  This highly unusual broadcast of a confession made by a foreigner in China, along with other recent actions against data privacy violations, suggests an increasing focus by Chinese authorities on enforcement of laws and regulations relating to the protection of an individual’s personal information, and underscores the growing need for companies with operations in China to ensure their personal data collection, handling, and transfer policies comply with national laws and regulations.Continue Reading British Fraud Investigator Admits on Chinese State TV to Illegally Purchasing and Selling Personal Information

On July 30, 2013, the Korean Ministry of Security and Public Administration (MOSPA) announced several amendments to the Personal Information Protection Act (PIPA) concerning collection and use of ‘Resident Registration Numbers’ (RRNs) – Korea’s national identification numbers. The PIPA is a general legal framework for personal information protection and is complemented by several sector-specific laws.

According to the MOSPA’s press statement, the following amendments will come into force in August 2014:Continue Reading Korea Strengthens Protection for ‘Resident Registration Numbers’ (RRNs): Leaks May Face a Fine of up to 0.5 Billion Korean Won

On July 30, 2013, the Korean Ministry of Security and Public Administration (MOSPA) announced several amendments to the Personal Information Protection Act (PIPA) concerning collection and use of ‘Resident Registration Numbers’ (RRNs) – Korea’s national identification numbers. The PIPA is a general legal framework for personal information protection and is complemented by several sector-specific laws.

According to the MOSPA’s press statement, the following amendments will come into force in August 2014:Continue Reading Korea Strengthens Protection for ‘Resident Registration Numbers’ (RRNs): Leaks May Face a Fine of up to 0.5 Billion Korean Won

On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”).  The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of “user’s personal information,” based on a more generally addressed national law protecting “personal electronic information” issued in December 2012 and entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here).

“IISPs” is a broad category that includes all companies utilizing a mainland-based website (i.e. a website registered with or licensed by MIIT) to collect personal information (“PI”) from their customers or site visitors.  “TSPs” are those entities providing access to telecommunications services, such as China Mobile.Continue Reading China Issues Comprehensive Regulation on Collection and Use of Personal Information by Websites and Telecommunication Service Providers

Last week, Amadeus, which provides one of the three major global distribution systems to the travel industry, published a report on big data authored by Thomas Davenport (currently a visiting professor at the Harvard Business School).  Davenport identifies data privacy issues as a major challenge to the use of big data and suggests that proceeding with “permission, transparency and with delicacy” is key.  However, his summary and recommendations do not mention how the privacy challenge can be addressed.  In this post I will highlight some of the most interesting aspects of the report and will add my own recommendations for what companies in the travel industry should be considering in terms of privacy.  

  • Data scientists and machine learning.  Tom Davenport’s report identifies the increasing importance (and scarcity) of data scientists and how they are critical to understanding machine learning (one of the aspects of big data that is different from traditional forms of data analytics).  McKinsey made a similar point in their report on big data.  Less frequently discussed is the fact that data scientists will access a great deal of personal and sensitive data.  Because of this, background checks before hiring and post-hiring privacy training will be especially important.  Indeed, sensitivity to privacy issues should be considered a core competency of the data scientists. 

Continue Reading Recommendations for Big Data in the Travel Industry