Monthly Archives: May 2009

White House Releases 60-day Cybersecurity Review Detailing Threats

Posted on May 29, 2009 by Hunton & Williams LLP

The White House today released the report from the 60-day cybersecurity review the President ordered in February. Speaking to a packed audience in the East Room, President Obama outlined the broad range of threats facing the digital infrastructure, focusing not only on national security and organized crime attacks, but also on identity theft and incursions into individual privacy.

He promised a “new comprehensive approach to securing our nation’s infrastructure,” including appointment of a White House cybersecurity coordinator reporting to both the National Security Council and the National Economic Council. The coordinator would have broad responsibilities, but little direct authority, although the President did promise that the coordinator would have access to him.

Tags: Cybersecurity, Obama

Landmark Conference Considers Future of EU Data Protection Directive

Posted on May 26, 2009 by Hunton & Williams LLP

On May 19 and 20 the European Commission held a conference which was perhaps the most important data protection event in Brussels since the Commission conference on evaluation of the EU Data Protection Directive 95/46/EC held in 2002. The conference was part of the Commission’s current evaluation of the Directive, and was designed to explore both the current status of data protection in the EU and where it is headed in the coming years. Speakers included Jacques Barrot, the European Commissioner in charge of justice, freedom and security; Alex Türk, chairman of the CNIL (French Data Protection Authority) and the Article 29 Working Party; European Data Protection Supervisor Peter Hustinx; and representatives of European academia, business and non-governmental organizations. Christopher Kuner of Hunton & Williams was among the speakers. The entire event was webcast live; video coverage will shortly be available here.

Tags: Article 29 Working Party, EU Data Protection Directive, European Commission

Maine Requires Breach Notice within Seven Days of Go-Ahead from Law Enforcement

Posted on May 22, 2009 by Hunton & Williams LLP

On May 19, Maine Governor John Baldacci signed legislation limiting the time that breach notification may be delayed following a determination by law enforcement that providing notice will not compromise a criminal investigation. The provision, which will take effect 90 days after the close of the Legislature’s 2009 session (scheduled to occur on June 17), will limit the permissible delay to seven business days.

Pursuant to Maine’s current breach notification law, entities that become aware of a breach "shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused." If the entity concludes, following its investigation, that notification to affected individuals is required, notice may be delayed if a law enforcement agency determines that notice would "compromise a criminal investigation." Once the law enforcement agency concludes that notification will not compromise its criminal investigation, the entity will have no more than seven business days to provide notice of the breach to affected individuals.

Text of the legislation, L.D. 970, is available here.

Tags: Legislation, Maine

First Enforcement of New California Medical Privacy Provisions: $250,000 Fine Imposed

Posted on May 21, 2009 by Hunton & Williams LLP

On May 14, 2009, the California Department of Public Health issued an Administrative Penalty Notice to the Kaiser Foundation Hospital — Bellflower for patient medical information privacy violations. Although the state did not identify the affected patient by name, the facts and circumstances described in the Notice correspond to the case of Nadya Suleman, the single mother of six who gave birth to octuplets at Bellflower in January 2009. The hospital was fined $250,000 for failure to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information as required by new provisions recently added to California’s Health and Safety Code. California law also requires health care providers and facilities to notify the Department of any unlawful or unauthorized access to patient medical information within five days of detecting such access. These provisions were reportedly enacted in the wake of several high-profile health data compromises at California health care facilities involving celebrities such as Farrah Fawcett, Britney Spears and California first lady Maria Shriver. To read more, click here.

Tags: California, HIPAA

German government introduces € 50,000 penalty on unsolicited phone calls

Posted on May 18, 2009 by Hunton & Williams LLP

On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection." According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.

In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call. The provision is intended to prevent the caller’s reliance on consent that may have been given by the recipient in a totally different context or after the call was placed. Further, those placing commercial phone calls may not suppress their phone number or identity. Violations of this prohibition may be sanctioned with a fine of up to € 10,000. The Act will enter into force after publication in the official federal gazette. The full text of the Act (in German) can be found here.

Tags: Consumer Protection, Germany

Deutsche Telekom Issues First Data Protection Report

Posted on May 15, 2009 by Hunton & Williams LLP

As a consequence of the data protection scandals at Deutsche Telekom AG over the last few years, the company is committed to reviewing these incidents by publishing an annual data protection report. On April 28, 2009, the first data protection report for year-end 2008 was issued and is intended to show the public that Deutsche Telekom is focused on the transparency of its data protection practice. The first chapter of the report contains an overview of the crucial incidents relating to data protection issues in 2008. The following chapters present the operative focal points of the company’s data protection practices. After the conclusion and outlook sections, an annex is included that describes Deutsche Telekom’s data protection organizational structure and provides a framework for data protection activities at the operational level. The company’s "Privacy Code of Conduct" also is included in the report. The full text of the report and press release (in German) can be found here.

Tags: Germany

International Body to Approve Resolution for a Draft of International Standards on the Protection of Personal Data

Posted on May 14, 2009 by Hunton & Williams LLP

In November, the 31st International Conference of Data Protection and Privacy Commissioners will approve a resolution that will include an international standard for privacy protection called the “Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data.” The standard will be submitted to the United Nations as the basis for a treaty. This is not the conference’s first attempt to reach consensus on an international standard, but it is the first to include robust processes that will begin to narrow the issues that divide nations on data protection law.

Tags: APEC, Spain

EU Commission Issues Recommendation on RFID, Privacy and Data Protection

Posted on May 13, 2009 by Hunton & Williams LLP

On May 12, 2009, the European Commission issued a long-awaited recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (“RFID”). The recommendation follows a process initiated in 2006 when the European Commission launched a public consultation on RFID technologies. Following this public consultation and in order to protect consumers’ privacy and data protection, the European Commission decided to take further steps by preparing a recommendation to regulate the use of RFID.

Tags: District of Columbia, E-Privacy Directive, EU Member States, European Commission, RFID

RAND Report Commissioned by the UK Information Commissioner’s Office

Posted on May 13, 2009 by Hunton & Williams LLP

The UK Information Commissioner’s Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.

The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners’ Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.

Tags: EU Data Protection Directive, Information Commissioners Office, RAND, United Kingdom

European Parliament Adopts Position on Data Breach Notification Requirement for Telecoms and ISPs

Posted on May 12, 2009 by Hunton & Williams LLP

On May 6, 2009, the proposed amendments to the e-Privacy Directive received a second reading in the European Parliament. In addition to other measures, it will include a definition of “personal data breach” and will introduce a data breach notification requirement.

The review of the e-Privacy Directive forms part of a wider review of telecoms legislation. The objective of that review is to improve network security and integrity, to increase protection for user personal data and to improve measures to prevent spam and “cyber attacks.” The scope of the amended Directive will include the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks within the European Community, including public communications networks supporting data collection and identification devices.

Tags: E-Privacy Directive, European Parliament, Legislation

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

Monthly Archives: May 2009

White House Releases 60-day Cybersecurity Review Detailing Threats

Landmark Conference Considers Future of EU Data Protection Directive

Maine Requires Breach Notice within Seven Days of Go-Ahead from Law Enforcement

First Enforcement of New California Medical Privacy Provisions: $250,000 Fine Imposed

German government introduces € 50,000 penalty on unsolicited phone calls

Deutsche Telekom Issues First Data Protection Report

International Body to Approve Resolution for a Draft of International Standards on the Protection of Personal Data

EU Commission Issues Recommendation on RFID, Privacy and Data Protection

RAND Report Commissioned by the UK Information Commissioner’s Office

European Parliament Adopts Position on Data Breach Notification Requirement for Telecoms and ISPs

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Privacy News