Lithuanian firm LAWIN Lideika, Petrauskas, Valiūnas ir partneriai reports that recent amendments to Lithuania’s Law on Legal Protection of Personal Data and the Law on Electronic Communications have established a breach notification requirement. Specifically, providers of publicly-available electronic communications services or of public communications networks must notify the data protection authority of data security breaches, and, when the breach is likely to have an adverse effect on the privacy of affected individuals, the data controller also may be required to notify those individuals.
On November 29, 2011, the Federal Trade Commission announced that Facebook has settled charges that it deceived consumers by making false privacy promises. The settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information (2) obtain users’ “affirmative express consent” before sharing their information with any third party that “materially exceeds the restrictions imposed by a user’s privacy setting(s),” (3) implement procedures to prevent a third party from accessing users’ information no later than 30 days after the user has deleted such information or terminated his or her account, (4) establish, implement and maintain a comprehensive privacy program, and (5) obtain initial and biennial assessments and reports regarding its privacy practices for the next 20 years.
On November 29, 2011, at the International Association of Privacy Professionals (“IAPP”) Europe Data Protection Congress in Paris, France, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, provided insight into details of the proposals for the revised EU data protection framework. She focused explicitly on solutions for international data transfers, promoting Binding Corporate Rules (“BCRs”) as a solution that can offer a simplified, yet comprehensive, structure for safeguarding international flows of data. Commissioner Reding referred to BCRs as offering the possibility of consistent enforcement and legal certainty, without stifling innovation.
On November 17, 2011, the German Association for Data Protection and Data Security (“GDD”) held its 35th Privacy Conference (“DAFTA”) in Cologne, Germany. At the opening plenary session, Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.
On November 16, 2011, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2010 (the “Report”) highlighting its main 2010 accomplishments and outlining some of its priorities for the upcoming year. This year’s Report covers events that occurred since last year’s publication of the Annual Activity Report for 2009.
On November 3, 2011, the Labor Chamber of the French Court of Cassation (the “Court”) upheld a decision against a company that unlawfully used a geolocation device to track the company car of one of its salesmen. Although the company notified the salesman that a geolocation device would be used to optimize productivity by analyzing the time he spent on business trips, the device was in fact used to monitor his working hours, which ultimately led to a pay cut.
On November 17, 2011, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited “disturbing” reports about Facebook’s ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent.
On November 13, 2011, Asia-Pacific Economic Cooperation (“APEC”) leaders endorsed the APEC Cross-Border Privacy Rules (“CBPRs”) system at an APEC meeting in Honolulu, Hawaii. The Leaders’ Statement also endorsed interoperability between national and regional privacy and data protection regimes to facilitate moving data around the globe while protecting privacy.
On November 2, 2011, Germany’s Federal Minister of the Interior met with stakeholders from the social networking industry and announced the development of a self-regulatory code for social networks. According to the Ministry’s press release, the code is aimed at enhancing data protection, consumer protection and the protection of minors on the Internet.
In endorsing the initiative, the Interior Minister stated, “self-regulation can also prove efficient in the social networking context, allowing for quick and flexible arrangements that enhance transparency and user trust. These rules should apply regardless of where a company is based.” The Minister also stressed that the current, ongoing review of the EU data protection framework will figure prominently in the development of the Code.
A first draft of the Code is expected in March 2012.
This week, the Digital Advertising Alliance (the “DAA”) unveiled new “Self-Regulatory Principles for Multi-Site Data” (the “Principles”), aimed at expanding the scope of industry self-regulation with respect to online data collection. The Principles are designed to supplement the Self-Regulatory Principles for Online Behavioral Advertising which were issued in July 2009. The DAA is composed of several constituent industry groups such as the American Association of Advertising Agencies, Council of Better Business Bureaus, the Direct Marketing Association and the Interactive Advertising Bureau.