On April 10, 2015, the UK Information Commissioner’s Office (“ICO”) published a summary of the feedback received from its July 28, 2014 report on Big Data and Data Protection (the “Report”). The ICO plans to revise its Report in light of the feedback received on three key questions and re-issue the Report in the summer of 2015. Below are key highlights set forth in the summary, entitled Summary of feedback on Big Data and data protection and ICO response (“Summary of Feedback”).
On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:
- personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
- a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
- unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).
On March 31, 2015, the Electronic Privacy Information Center (“EPIC”) filed a petition (the “Petition”) with the U.S. Court of Appeals for the District of Columbia Circuit accusing the Department of Transportation’s Federal Aviation Administration (“FAA”) of unlawfully failing to include privacy rules in the FAA’s proposed framework of regulations for unmanned aircraft systems (“UAS”), otherwise known as drones. The Petition stems from the FAA’s November 2014 denial of another EPIC petition calling for the FAA to address the threat of privacy and civil liberties associated with the deployment of aerial drones within the U.S.
The House of Representatives passed two complimentary bills related to cybersecurity, the “Protecting Cyber Networks Act” (H.R. 1560) and the “National Cybersecurity Protection Advancement Act of 2015” (H.R. 1731). These bills provide, among other things, liability protection for (1) the use of monitoring and defensive measures to protect information systems, and (2) the sharing of cybersecurity threat information amongst non-federal entities and with the federal government. With the Senate having just recently overcome disagreement on sex trafficking legislation and the Attorney General nomination, that body is now expected to consider similar information sharing legislation entitled the “Cybersecurity Information Sharing Act” (S. 754) in the coming weeks. Assuming S. 754 also is passed by the Senate, the two Chambers of Congress will convene a Conference Committee to draft a single piece of legislation which will be then voted on by the House and Senate, before heading to the President’s desk. The White House has not committed to signing any resulting legislation, but has signaled some positive support.
On April 23, 2015, the Federal Trade Commission (“FTC”) announced that Nomi Technologies (“Nomi”) has agreed to settle charges stemming from allegations that the company misled consumers with respect to their ability to opt out of the company’s mobile device tracking service at retail locations. The settlement marks the FTC’s first Section 5 enforcement action against a company that provides tracking services at retailers.
On April 15, 2015, the Federal Communications Commission (“FCC”) announced that it has joined the Asia Pacific Privacy Authorities (“APPA”), the principal forum for privacy authorities in the Asia-Pacific Region. APPA members meet twice a year to discuss recent developments, issues of common interest and cooperation. The FCC now joins the Federal Trade Commission as the U.S. representatives to APPA.
Data localization has been a matter of widespread concern in recent weeks. In an article published in the International Association of Privacy Professionals’ Privacy Perspectives, Hunton & Williams partner Manuel Maisog explains why lessons from China’s past show that its future should have little room for data localization. Maisog states that “[w]hile data localization has most recently and dramatically come to prominence in the form of Russian data localization legislation,” it currently “is a global issue.” He continues to say that “the Internet has linked the world’s information platforms so seamlessly that the effects of a successful data localization effort in any one major country or economy would make itself felt globally and immediately.”
On April 16, 2015, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2014 (the “Report”) highlighting its main accomplishments in 2014 and outlining some of the topics it will consider further in 2015.
On April 13, 2015, the Senate of Washington State unanimously passed legislation strengthening the state’s data breach law. The bill (HB 1078) passed the Senate by a 47-0 vote, and as we previously reported, passed the House by a 97-0 vote.
On April 15, 2015, the Asia-Pacific Economic Cooperation (“APEC”) Electronic Commerce Steering Group issued a press release announcing Canada’s participation in the APEC Cross-Border Privacy Rules (“CBPR”) System. The U.S. Department of Commerce’s International Trade Administration also released an official press statement.