In February 24, 2010, an Italian court in Milan found three Google executives guilty of violating applicable Italian privacy laws. The executives were accused of violating Italian law by having allowed a video showing an autistic teenager being bullied to be posted online. The Google executives, Senior Vice President and Chief Legal Officer David Drummond, Chief Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes, were fined and received six-month suspended jail sentences.
On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud. In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers. The letters also recommended that the companies identify affected individuals and consider whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws. Samples of the FTC’s letters were published with the news release and are available on the FTC’s website.
In addition, to help companies manage security risks related to P2P networks, the FTC published a Guide for Businesses on Peer-to-Peer file sharing and provided a link to a P2P Security Guide for consumers.
Hunton & Williams partner, Lisa J. Sotto, discussed the FTC’s release in USA Today’s Technology Live Blog.
After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.
The U.S. Supreme Court has set oral argument for April 19, 2010, to review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co. Although Quon concerns the scope of privacy rights afforded to public employees under the Fourth Amendment, the case also has forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies. Unlike government employers, private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures; instead, they must comply with federal wiretap statutes and state law. In practice, however, the “reasonable expectation of privacy” test courts apply to state common law privacy claims that govern private employers is virtually identical to the Fourth Amendment test. Accordingly, the Supreme Court’s review of the Constitutional test likely will affect how courts view privacy claims brought against private employers.
We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published. The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule. Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.
A computer user’s failure to secure his wireless network contributed to the defeat of his claim that a neighbor’s unwelcome access to his files violated the Electronic Communications Privacy Act (“ECPA”). The ECPA places restrictions on unauthorized interception of, and access to, electronic communications.
On February 11, 2010, the plenary of the European Parliament rejected by a vote of 378 to 196 the agreement reached in 2009 between the EU and the U.S. to allow access by U.S. law enforcement authorities to the payment database of the financial consortium SWIFT. The agreement had been negotiated between the EU Council of Ministers and the European Commission with the U.S. government to allow continued access to the database, a mirror copy of which had been moved by SWIFT from the U.S. to Europe. With the Lisbon Treaty’s entry into force, the Parliament gained new powers to approve measures affecting law enforcement and civil liberties, and a number of members of the Parliament have expressed concern regarding the level of data protection provided for in the agreement. According to news reports, several top U.S. government officials (including Secretary of State Hillary Rodham Clinton and Treasury Secretary Timothy Geithner) had been lobbying the European Parliament to approve the agreement, on the grounds that it was essential to fight terrorism in both the U.S. and Europe.
On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights. This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports. The move has raised concerns about the excessive collection of personal data.
Cloud computing raises complex legal issues related to privacy and information security. As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments. In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.
On February 5, 2010, the European Commission adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside the EU. View the European Commission press release.