On April 8, 2015, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected account-related data, affecting almost 280,000 U.S. customers.
On August 6-10, 2014, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Beijing, China, for another round of negotiations, meetings and workshops. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was again on the further implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system and related work relevant to cross-border interoperability. The following is a summary of highlights and outcomes from the meetings:
On April 30, 2014, the Asia-Pacific Economic Cooperation (“APEC”) released the Findings Report of the Joint Oversight Panel of the APEC Cross-Border Privacy Rules (“CPBR”) system, confirming that Japan has met the conditions for participation in the CBPRs. Accordingly, Japan has now joined the U.S. and Mexico as a participant in the APEC CBPRs. Canada recently expressed its intent to join the system soon, and other APEC economies are in the process determining how and when they may join.
As reported by Bloomberg BNA, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) recently issued data security guidelines that implement the security provisions of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).
On March 8, 2013, a U.S. federal appeals court issued a decision in the case United States v. Cotterman, holding that the federal government must have “reasonable suspicion” of criminal activity to conduct a forensic search of laptops and similar devices in the possession of individuals attempting to cross the border. The case arose after Howard Cotterman attempted to enter the United States by car at a checkpoint on the Mexican border. When border agents determined that he had a criminal record related to sexual misconduct, they seized his laptop and attempted to search it. They initially discovered some password-protected files but no proof of illegal activity and allowed him to enter the country but did not return his laptop. The agents then subjected the computer to a forensic analysis and discovered it contained child pornography in portions of the hard drive that had been deleted or protected with passwords. The federal district court ordered suppression of this evidence in the criminal case against Cotterman on the ground that the agents’ forensic analysis of his computer violated the Fourth Amendment’s prohibition on warrantless searches.
On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.
On May 26, 2012, the United States government submitted its request to participate in the APEC Cross-Border Privacy Rules (“CBPRs”) system. The CBPRs system was endorsed by APEC leaders in November 2011. The protocol requires a participating economy to submit:
- A letter of intent to participate;
- Confirmation that a privacy enforcement agency in the economy is a participant in the Cross-Border Privacy Enforcement Arrangement;
- Notice that the economy intends to make use of at least one APEC-recognized accountability agency; and
- A description of the domestic laws and other legal mechanisms to give effect to the enforcement activities related to the activities of the accountability agent, which also must include an enforcement map.
Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 7-9, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:
- Mending Fences after a Breach
Thursday, March 8, 12:15 p.m.
Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection. Continue Reading 2012 IAPP Global Privacy Summit
On December 21, 2011, Mexico issued the final version of its Regulations of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares). The regulations, which contain mostly minor changes to the prior draft that was released in October, will take effect on December 22, 2011. Notable updates in this final draft include:
- clarification of notice and consent requirements;
- changes to restrictions on cloud computing;
- updates to requirements regarding data transfers; and
- clarifications regarding data subjects’ rights.