China’s principal internet regulator, the Cyberspace Administration of China (“CAC”), announced this week that China will move forward new legislation to combat the improper collection, use, and sale of personal information. The new legislation, announced during an interview of a senior CAC official by state-owned Xinhua News, is reportedly being
Continue Reading China’s Internet Gatekeeper Announces Legislation to Enhance Personal Information Protection

 

  1. The CJEU “Right to be Forgotten” Ruling.  In May 2014, the Court of Justice of the European Union (CJEU) delivered an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The CJEU’s decision re-interpreted European data protection law to include a so-called “right to be forgotten” that enabled individuals to request search engines to block links that appear on searches of their names if the links go to information that is incomplete, inaccurate, irrelevant, or otherwise damaging to an individual’s privacy.  (This right is limited in the case of public figures, however.)  The decision also found that Google was subject to European data protection law because it operated subsidiaries in Europe whose business was to raise advertising revenues in relation to the search engine’s data processing activities.  The decision triggered an immediate tidal wave of tens of thousands of requests to Google and other search engines that continues to raise controversies to this day.
  1. CJEU strikes down the Data Retention Directive as invalid. In April 2014, the CJEU took the rare step of annulling the controversial Data Retention Directive, which mandated the systematic (“bulk”) retention of communications metadata by telecommunications companies in the EU, for potential access by law enforcement authorities (see our blog post here).  The Court criticised the Directive’s indiscriminate targeting of suspects and non-suspects alike, and the law’s general lack of safeguards, finding that it amounted to an “interference with the fundamental rights of practically the entire European population” contrary to Articles 7 and 8 of the Charter of Fundamental Rights of the EU.  The Directive’s invalidation raised questions about the continuing validity of the national laws that had implemented the Directive throughout the EU.  In the UK, this lead to the accelerated adoption of substitute legislation, the Data Retention and Investigatory Powers Act 2014 (“DRIPA”), and its implementing regulations.
    Continue Reading Top 10 International Privacy Developments of 2014

By Caleb Skeath

Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives.  The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as well as provisions requiring notification to affected individuals in the event of a data breach.  Meanwhile, Sens. Dianne Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR), and Bill Nelson (D-FL) introduced a similar bill, the Data Security and Breach Notification Act (S. 177) this week the Senate.  The Senate bill is also a re-introduction of a previous bill, which would provide FTC-enforced security standards and individual breach notifications.

Although the text of the DATA Act has not yet been released, a release from the bill’s sponsors stated that the bill will be “substantially similar” to prior versions.  According to the release, the bill will define “personal information” to include an individual’s name in connection with (1) a Social Security number, (2) a driver’s license, passport, or other government-issued identification number, or (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account.  Commercial entities that own or process personal information would be required to implement effective information security procedures and policies to safeguard that information.  Following a breach, entities would have to notify the affected individuals, in addition to the FTC.  The FTC and state attorney generals would enforce the provisions of the bill, which would allow for civil penalties of up to $5 million for violations.  The bill’s sponsors have announced a public briefing on the bill on February 6, during which they will provide more information about the bill’s provisions.
Continue Reading Data Breach Notification Bills Introduced in House and Senate

Last week, a group of privacy experts, including regulators and representatives of the automobile and consumer electronics industries, spoke at a Continuing Legal Education Program hosted by the Federal Communications Bar Association.  The panel discussed, among other things, the relatively new set of privacy principles that has been developed for vehicle technologies and services, which is scheduled to take effect in January 2016.  This post summarizes those principles and the panelists’ comments.
Continue Reading Connected Cars and Other Web-Connected Devices

By Caleb Skeath

Earlier this week, the Senate Committee on Homeland Security and Governmental Affairs held its first hearing of the new Congress, entitled “Protecting America from Cyber Attacks: The Importance of Information Sharing.”  The hearing focused in large part on the White House’s recent information sharing proposal, which
Continue Reading Senate Hearing Addresses White House Information-Sharing Proposal

By Fredericka Argent

The UK’s Information Commissioner’s Office (ICO) has announced that it is looking to introduce a system of “privacy seals” for organizations doing business in the UK.  The seal is intended to be a consumer-facing stamp of approval demonstrating that a particular organization is meeting or surpassing the compliance requirements of the UK’s Data Protection Act.  The ICO expects that this will provide numerous benefits, both for companies, who could gain an advantage over competitors, and for customers, who should feel confident entrusting their personal information to companies displaying the seal.  It is hoped that the privacy seal will incentivize good data protection practices across UK businesses.

The privacy seals themselves will be delivered by third party operators who are endorsed by and work with the ICO.  It is expected that different operators will focus on different sectors, meaning that accreditation schemes can be tailored to particular industries.  For example, an operator handling the privacy seals for mobile app companies may be different to the operator assigned to healthcare service providers.  A privacy seal will only be awarded to an organization once they have demonstrated that they meet the relevant data protection standards.
Continue Reading The UK’s Data Protection Regulator to Introduce “Privacy Seals” for Businesses

On Wednesday, January 28, 2015, better known as “Data Protection Day,” the Belgian Under-Secretary for Data Protection Bart Tommelein called for the creation of an EU Data Protection Authority.  He intends to present this position of the Belgian Government to the informal meeting of Ministers of Justice and of the
Continue Reading Belgian Government Calls for EU Data Protection Authority

Yesterday, the Federal Trade Commission released a staff report on the Internet of Things (“IoT”) that provides best practice recommendations for addressing privacy and security risks associated with IoT products and services.  The report, Internet of Things: Privacy & Security in a Connected World, also summarizes findings from the FTC’s 2013 IoT workshop.  In the report, the FTC staff defines “IoT” as “devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.”  Examples of IoT products and services include smart home appliances, connected car services, and fitness trackers.

For industry, the most significant sections of the report are the staff’s privacy and security recommendations, which fall into three main categories: (1) security, (2) data minimization, and (3) notice and choice.  These recommendations are technology-neutral and applicable across a wide range of technologies.  The report also addresses the staff’s view on the need for legislation.

The Commissioners voted 4 to 1 in favor of issuing the report.  Commissioner Maureen Ohlhausen issued a separate statement that generally supported the report while declining to endorse a couple of its recommendations.  Commissioner Joshua Wright dissented from the issuance of the report.   The remainder of this blog post analyzes the report’s recommendations and the commissioners’ statements in greater detail.Continue Reading FTC Internet of Things Report Outlines Privacy and Security Recommendations for Industry

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

The European Commission has finally published its summary of 211 responses to its mobile health (“mHealth”) consultation.  The summary and original responses to the consultation have been made available on the Commission’s website at https://ec.europa.eu/digital-agenda/en/news/summary-report-public-consultation-green-paper-mobile-health

The consultation covered a broad range of important issues for mHealth, including legal frameworks, privacy and data protection, patient safety, mHealth’s role in healthcare systems, equal access, interoperability, funding and reimbursement, liability, research & innovation, international cooperation, and market access issues, particularly for web entrepreneurs.
Continue Reading Summary Report of European Commission’s mHealth Consultation Published