Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

On August 10, 2010, Illinois Governor Pat Quinn signed the Employee Credit Privacy Act, which prohibits most Illinois employers from inquiring about an applicant’s or employee’s credit history or using an individual’s credit history as a basis for an employment decision.  The definition of “employer” under the Act exempts banks, insurance companies, law enforcement agencies, debt collectors and state and local government agencies that require the use of credit history.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act.  The magazine, which catered to a young gay audience, had a website privacy policy that asserted “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.”  Readers who submitted online profile information were told that their information “will not be published.  We keep it secret.”  The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

BBC News is reporting that privacy was a major topic at this year’s Hackers on Planet Earth (“HOPE”) conference that was held in New York in July.  Participants spoke to the BBC about privacy vulnerabilities that they have discovered on various Internet sites.  For example, one participant discussed how GPS data embedded in digital photos users post online, combined with other information available in the photos and on the Internet, may reveal the exact locations where the users work, live and travel, as well as users’ real-time locations.  Participants explained that their goal is to identify the privacy vulnerabilities and provide information to others on how to protect their privacy online.  Hear the full interview.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Following our blog entry posted on June 2, 2010, Dr. Jörg Hladjk of Hunton & Williams offers additional insights on the obligations of German data exporters with respect to the Safe Harbor compliance program during the Centre for Information Policy Leadership’s First Friday Call on August 6, 2010.  On the call, Dr. Hladjk also discusses a press release issued by the German federal state of Schleswig-Holstein in light of the 10th Anniversary of Safe Harbor.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Richard Thomas (RT): Lisa, congratulations on the publication of the new treatise.  I’m sure the Privacy team has been waiting for its release.  Could you give us some background on what prompted you and the team to write the Privacy and Data Security Law Deskbook?

Lisa Sotto (LS): Thanks, Richard.  Privacy and information security are topics that have received significant attention during the last few years.  Organizations that manage personal information are under the microscope and are struggling to keep up with the many new and evolving legal requirements around the world.  In addition, there is a real uptick in enforcement actions for privacy and data security incidents.  As the former Information Commissioner of the UK, I’m sure you would agree that privacy is an issue on which nearly every global company must focus.  In 2009 alone, companies spent an average of $6.6 million to rebuild their brand image and retain customers after being involved in some type of data breach the previous year.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).  Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the '34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling.  The cases involved consumer complaints implicating the companies in several illegal acts.  The companies claimed they had obtained prior consent from the consumers they contacted.  The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games.  The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies.  The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On July 28, 2010, the Israeli Supervisor of Banks, Rony Hizkiyahu, issued a letter to the CEOs of all local banks expressing concern over the banks' and their employees' use of online social networks, including both proprietary Web 2.0 tools and networking sites such as Facebook, Twitter, LinkedIn, MySpace and YouTube, all of which are explicitly referred to in the letter.  The Supervisor of Banks, Israel’s banking regulator, requires banks to take steps to ensure data protection and information security, including having outside experts perform risk assessments, creating and enforcing policies for use of social networking tools as well as guidelines and procedures for implementation and audit, and devising a data security strategy to address increased risks to employee and customer data.  These instructions are in addition to the Supervisor of Banks Proper Conduct of Banking Business Regulation No. 357, Information Technology Management, as well as applicable data protection law and regulations.

View the Supervisor of Banks’ letter (in Hebrew).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a statement released on August 2, 2010, the French Data Protection Authority (the “CNIL”) announced that the European Commission has adopted a new time frame for the revision of the EU Data Protection Directive 95/46/EC (the “Directive”).  Following a public consultation on the EU Data Protection Framework late last year, Commissioner Viviane Reding, who is in charge of Justice, Fundamental Rights and Citizenship, had announced that a proposal for the revision of the Directive would be presented in November 2010.  However, several European data protection authorities urged the European Commission not to rush through the revisions, and requested additional time in order to address the impact of this revision and challenges to personal data protection.  Accordingly, the European Commission has decided to postpone the release of a proposal, noting that it will instead issue a statement in November 2010, and will present proposed revisions in the latter half of 2011.

More information is available (in French) on the CNIL’s website.

• Email This
• Print
• Comments
• Trackbacks
• Share Link