.jpg)
Representatives Terry (R-NE) and Towns (D-NY) have introduced legislation intended to modernize the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) and authorize additional calls to wireless telephone numbers.
Continue Reading...
France's Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) announced on September 23, 2011 that it had found the French provider of universal telephone directory services, “Pages Jaunes,” guilty of violating several provisions of the French data protection law. The CNIL did not fine Pages Jaunes, but published a detailed warning, listing each privacy violation that the CNIL had identified during its investigation of Pages Jaunes’s activities.
At issue was Pages Jaunes’s web crawler function, which Pages Jaunes has discontinued. The crawler captured information contained in Facebook, Twitter and LinkedIn profiles of persons having the same name as the person being looked up in the directory service. For example, if someone were to look up the telephone number of Pierre Dupont. Pages Jaunes would show Mr. Dupont’s phone number, and would also show information on social media sites relating to persons named Pierre Dupont. The information may include photos, the name of Dupont’s employer, the schools he attended, his geographic location, his profession, etc.
Continue Reading...The U.S. District Court for the Northern District of California earlier this week dismissed a purported privacy class action against Apple and a group of mobile ad networks, finding that the plaintiffs lacked standing. The decision in In re iPhone Application Litigation (PDF) is the latest in a line of dismissals of such privacy lawsuits that have stalled due to plaintiffs’ failure to allege that they were damaged by the allegedly impermissible collection of personal information. The court dismissed the lawsuit without prejudice, allowing plaintiffs to re-file their complaint if they can come up with articulable facts showing actual injury sufficient for standing, but the court also indicated serious problems with claims asserted by the plaintiffs even if they were able to establish standing.
Continue Reading...On September 15, the Federal Trade Commission (“FTC”) released its proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Regulation. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. This proposed rule arises from an FTC COPPA Rule Review, through which the FTC solicited comments about every aspect of the COPPA Rule and held a public roundtable to discuss whether and how technological advances – such as the proliferation of social media, mobile computing, and mobile commerce – necessitated revisions to the COPPA Rule. After reviewing comments from stakeholders – including industry, advocacy groups, and academics – the FTC has proposed significant changes to the COPPA Rule that will have a marked effect on the operation of websites and other online services, including mobile applications, that collect personal information from children.
This is the first major revision to the COPPA Rule, and as the FTC wrote in the preamble to the proposed rule, “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.” While the proposed changes may help create a better online experience for children, the changes will also create significant regulatory hurdles for companies that will have to make changes to their current information practices to comply with any revised rule.
The proposed rule contemplates several major changes to the existing COPPA regime, which include:
Today the U.S. Department of Health and Human Services (HHS) issued a voluntary privacy notice for Personal Health Records (PHRs) as well as new proposed rules that would expand the rights of patients to access test result reports directly from clinical laboratories covered by HIPAA. Both announcements were part of a HHS Consumer Health IT Summit.
The PHR model privacy notice is intended for use by PHR companies. HHS describes the notice as like the nutrition labeling information required on food in the U.S., in that it is designed to present complex information in an understandable format. HHS provides a template that PHR companies can use to populate with its own data practices. The goal is to provide transparency about privacy practices. HHS expects that companies will continue to make a more in-depth privacy notice available as well.
HHS also has issued a proposed rule (PDF) to allow patients to directly access their own lab results. This proposed rule would amend the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon a patient’s request, the laboratory may provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. This proposed rule will be published in the federal register on September 14 with an expected 60 day comment period.
Employers have a right, and in some cases a duty, to monitor the e-mail communications of their employees that are sent from the employer's e-mail system. As a general matter, employees have no expectation of privacy in e-mails sent through their workplace system. Since employees who communicate with their personal lawyers through their employer's e-mail are subject to employer monitoring, the American Bar Association has issued a formal ethics opinion stating that lawyers have a duty to warn such employees that their e-mails may not be confidential.
The Opinion expressly reserves on the question of whether the breach of confidentiality would vitiate the attorney-client privilege, declaring "the law appears to be evolving." But the cases cited in the ethics opinion on when employee communications with counsel through workplace e-mail will remain privileged show that the circumstances are limited when the privilege is likely to survive, leading to this observation:
Nevertheless, we consider the ethical implications posed by the risks that these communications will be reviewed by others and held admissible in legal proceedings.
Thus, the ABA concluded that a lawyer has an ethical obligation to advise a client of the risks of sending attorney-client communications via workplace e-mail.
The ABA ethics opinion raises the question of whether lawyers who know that their clients are using modes of communication that may not be secure, and may be subject to interception and review by others (thus jeopardizing the privilege) have an ethical duty to warn their clients beyond the context of workplace e-mail.
In 2008, the New York State Bar opined that the use of Gmail for attorney-client communications, even though e-mails sent through Gmail are subject to scanning by Google computers for the delivery of contextual advertising, retained the attorney-client privilege. But with the advent of many new means of electronic communication, from Facebook to Twitter and beyond, and with smart mobile devices becoming a dominant method of communication, and with varying individual privacy and data security practices on the part of clients, quaere whether a lawyer has an ethical duty to evaluate a client's communications practices and to advise on the risks that confidentiality may be lost. The ABA Opinion opens the door to such an inquiry.
.jpg)
Today, the Future of Privacy Forum (FPF), a Washington-based privacy think tank founded and co-chaired by Hogan Lovells privacy practice director Chris Wolf, released the newest edition of its Privacy Papers for Policy Makers. This year’s compilation highlights leading privacy writings voted by the FPF Advisory Board to be most useful for policy makers on Capitol Hill and within federal agencies who are focusing on how to improve the protection of personal privacy.
The writings cover a wide array of topics, including recommendations on how to reform notice and choice to empower consumer control over the collection and use of their data; understanding and valuing the use of personal identifiable information and explaining the benefits of “online obscurity”.
The 2011 Privacy Papers for Policy Makers are:
Accountability as the Basis for Regulating Privacy: Can Information Security Regulations Inform Privacy Policy? Mary J. Culnan
Against Notice Skepticism (Forthcoming, 87 Notre Dame Law Review – 2010) Ryan Calo
The Case for Online Obscurity Woodrow Hartzog and Frederic Stutzman
Dispelling the Myths Surrounding De-Identification: Anonymization Remains a Strong Tool for Protecting Privacy (Seen in the Canadian Law Review, Vol. 8, No. 9, August 2011) Dr. Ann Cavoukian and Khaled El Emam
The Failure of Online Social Network Privacy Settings Michelle Madejski, Maritza Johnson and Steven Bellovin
The PII Problem: Privacy and a New Concept of Personally Identifiable Information Paul M. Schwartz and Daniel J. Solove
Notable Mentions:
Flash Cookies and Privacy II: Now with HTML5 and ETag RespawningChris Hoofnagle, Mika Ayenson, Deitrich James Wambach, Ashkan Soltani and Nathan Good
Regulating Privacy by Design Ira S. Rubinstein
The feedback that FPF received from Capitol Hill and other federal agencies after publishing the first edition of this publication demonstrated it was an important resource for policymakers as they explored the myriad privacy issues confronting the public. With that in mind, it is expected that this year’s edition should enlighten leaders with the insights of prominent privacy scholars.
The works featured and digested were selected by members of the Advisory Board of the Future of Privacy Forum (scholars, privacy advocates and Chief Privacy Officers) based on criteria emphasizing clarity, practicality and overall utility. Two of the papers were selected by the chairpersons of the annual Privacy Law Scholars Conference (PLSC) to receive the International Association of Privacy Professionals (IAPP) award for the best papers presented at the 2011 PLSC event in Berkeley, CA last June.
The authors of the papers will be honored at a Washington, D.C. reception tonight.
A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents. Senate Bill 24 (“SB 24”) was signed on August 31, 2011 by California governor Jerry Brown and will take effect January 1, 2012. Since 2003, following California's enactment of the first of its kind data breach notification laws (Cal. Civ. Code §§ 1798.29 & 1798.82) California law has required any person, business or state agency that owns or licenses computerized data that includes certain personal information to notify individuals when there has been a breach of personal information, but did not specify the type of information that should be contained in the notification. California now joins the ranks of several other states whose data breach notification laws contain breach notification content mandates.
Continue Reading...By Gabriela Kennedy (Partner) and Heidi Gleeson (Registered Foreign Lawyer) Hogan Lovells, Hong Kong.
The Personal Data (Privacy) Amendment Bill (the "Bill") was introduced into the Legislative Council on 13 July 2011. The Bill is the culmination of a lengthy consultation process into the reform of the Personal Data (Privacy) Ordinance (the "Ordinance") which commenced in 2009. The Bill aims to bring the Ordinance in line with technological and other advancements that have occurred since the Ordinance was enacted 15 years ago, and is in part a response to the mounting public concern in relation to a number of high profile instances of misuse of personal data in Hong Kong.
The most significant amendments relate to direct marketing and the sale of personal information, data processing and the powers of the Privacy Commissioner for Personal Data (the "Privacy Commissioner"). The Bill also introduces increased penalties for breaches of the Ordinance. These key amendments are discussed below.
Continue Reading...The U.S. Department of Health and Human Services (HHS) today extended the public comment period for its new proposed requirements for human subjects research under the Common Rule. HHS’ proposal includes significant new data privacy and security obligations on research entities, including the creation of mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data, as well as potential new standards for de-identified data. HHS also proposes to categorize biospecimen research as identifiable information. HHS has extended the comment period by one month, making comments due by October 26, 2011. Read the notice of the extension here. For more information about the privacy and security components of the proposal, view our Health Privacy archive.
The European Commission’s Vice-President for a Digital Agenda, Neelie Kroes earlier this week indicated that the EC is aiming for a 2012 Cloud strategy that reflects the EU focus on human rights. She has recruited former federal Chief Information Officer Vivek Kundra to be an adviser in the creation of the strategy.
As reported in the Washington Internet Daily, Kroes and Kundra were speaking at Salesforce.com’s Dreamforce conference in San Francisco where Kroes said that because "this is by definition a global issue," Europe should work with the U.S. and Asia in setting policy. But she also said that privacy and other human rights considerations are central to the way Europe approaches issues like this, "even if it's taking more time" to complete policymaking, "the human rights system ... is the basis of our democracy," Kroes is reported to have said.
In this connection, recall that Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner has proclaimed that as essential "pillar" of EU citizens' privacy rights is "protection regardless of location" which has obvious implications for the Cloud.
"[P]rotection regardless of data location" [] means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries' service providers controlling our citizens' data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.
(The EU also generally takes the position that its privacy laws cover nationals from countries outside the EU whose data is processed in the EU, but France's data protection authority, the CNIL recently exempted certain outsourcing services performed in France, a move followed by India with respect to its new privacy law, to the relief of companies performing outsourcing services in India.)
Presumably, Mr. Kundra's involvement in Vice-President Kroe's efforts to develop a Cloud strategy will help temper the rigid application of EU privacy laws to data stored in the Cloud.
Continue Reading...
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
Enter keywords:
