For Auld Lang Syne: US President Recognizes "Privacy as a Cardinal Principle of American Liberty"
The year was 1974.
Happy new year to the readers of the Hogan Lovells Chronicle of Data Protection!
District Court Dismisses Most Claims Related to Heartland Data Breach
This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office
.jpg)
A federal judge dismissed all but one of the claims (PDF) brought against Heartland Payment Systems, a payment card processor, in a class action lawsuit stemming from a breach of Heartland’s computer systems, demonstrating that it may be difficult to hold companies legally responsible for breaches of their data. The plaintiffs of the class action lawsuit, nine financial institutions that issued payment cards to consumers affected by the breach, balked at Heartland’s settlement offers and instead sought relief from the court, alleging breach of contract, negligence, misrepresentation, and violations of several states’ consumer-protection statutes. Only the alleged violation of Florida’s consumer-protection statute survived Heartland’s motion to dismiss, an outcome which may deter future plaintiffs affected by data breaches from rejecting settlement offers to litigate their claims.
Invitation to January 12 Event for Bay Area Readers of the HL Chronicle of Data Protection
We are pleased to invite Bay Area readers of the Hogan Lovells Chronicle of Data Protection to a morning event in Palo Alto on January 12, 2012, "Privacy and Information Management: A Global Perspective on What Businesses Should Expect in 2012."
Change is in the air for privacy law and regulation worldwide. The privacy practice at Hogan Lovells spans the globe across our 40 offices in the United States, Europe, Latin America, the Middle East, and Asia. This program will reflect the perspectives of the lawyers in our worldwide privacy practice, and will present the viewpoints of U.S. leaders from the Federal Trade Commission, a prominent technology-focused NGO, and academia, as we take a look back at privacy law developments in 2011 and take stock of the expected developments and focus on privacy law in 2012.
The program will feature FTC Commissioner Julie Brill, Jim Dempsey from the Center for Democracy and Technology and Ryan Calo from the Stanford Law School Center for Internet and Society. It will be moderated by Hogan Lovells Privacy and Information Management practice directors Marcy Wilder and Chris Wolf.
If you would like an invitation to register for this event, please contact justin.portaz@hoganlovells.com
Privacy of Private Pilots Upheld
A serious challenge to the personal privacy of private aviators was averted on December 1st, when the Federal Aviation Administration (FAA) rescinded a rule that would have terminated a long-standing procedure whereby private pilots were permitted to shield their flights from real-time flight tracking information made available to the public.
The National Business Aviation Association (NBAA) filed comments opposing the change as out of step with mainstream government policy regarding personal privacy. Despite receiving hundreds of similar comments from the general aviation community, the FAA adopted the change as proposed. Henceforth, the only applicants eligible to shield their flights from public tracking would be those who could demonstrate a "valid security concern." Generalized concerns about personal privacy would no longer suffice, the agency said.
The NBAA joined forces with the Aircraft Owners and Pilots Association (AOPA) and challenged the new rule in the D.C. Circuit. In November, budget legislation covering the Department of Transportation (DOT) was enacted along with an amendment that prohibited the FAA from using appropriated funds to implement the new restrictions.
On December 1st – one day before a scheduled oral argument in the appeal – the FAA announced that it was rescinding the new rule in its entirety and on a permanent basis. The Federal Aviation Administration has announced that, effective immediately, those wanting to enroll aircraft in the Block Aircraft Registration Request (BARR) program would no longer need to provide a "valid security concern" in order to be included in the program.
Hogan Lovells represented the NBAA and the AOPA in this matter.
Article 29 Working Party Rebuffs European OBA Industry... Again
In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.
Details of EU Data Protection Reform Reveal Dramatic Proposed Changes
EU privacy law is under scrutiny and proposals for change are coming. The European Commission (EC) last year announced an upcoming reform of the EU Data Protection Directive (95/46/EC), which was a hot topic of last week’s IAPP Europe Data Protection Congress in Paris (in which Hogan Lovells privacy lawyers from around the world participated). Changes are anticipated near the end of January. Some of the details of those changes, however, have emerged earlier than expected, as this week the EC circulated for comment two proposed legal instruments that likely will form the baseline of the EU’s data protection framework for years to come.
IAPP Europe Data Protection Congress, Paris - Day 2 - Summary of Peter Hustinx' keynote address
On the second day of the IAPP Europe Data Protection Congress held in Paris, France, the keynote speech was given by Peter Hustinx, the European Data Protection Supervisor.
In his address, Mr. Hustinx offered an opinion on where he thinks the revision of the European data protection framework is headed. Basing his remarks on a Stanford Law review article, "Privacy in the books and privacy on the ground," he advocated the revision of the European data protection framework which would provide innovative and efficient means to deliver privacy on the ground, by empowering data subjects and data protection authorities, as well as providing greater legal certainty for data controllers.
Continue Reading...An injunction too far: The Court of Justice of the European Union (ECJ) rules out injunctions against ISPs that allow general filtering to prevent illegal downloading
By David Taylor, Partner, Paris
In what is both a highly anticipated and expected ruling issued on 24 November 2011, the Court of Justice of the European Union (the "ECJ") has held that under EU law, a national court cannot impose an injunction requiring an ISP to install a wide ranging filtering system in order to tackle illegal downloading since such an injunction is incompatible with EU law and the associated limitations on intermediary liability.
The ECJ judged that European directives on E-Commerce, Copyright Harmonisation, Enforcement of Intellectual Property Rights and Data Protection can prevent National Courts from imposing general filtering measures on internet service providers ("ISPs") to block illegal downloading using peer to peer ("P2P") networks.
Continue Reading...Ground breaking modification of the Spanish laws
By Pablo Rivas in our Madrid Office
A decision last week by the Court of Justice of the European Union ("ECJ") introduces an important change to the Spanish data protection framework. Prior to the decision, Spain did not recognize the "legitimate interest" justification for the processing of personal data; "legitimate interest" was only applicable for the processing of data collected from public sources or where the "legitimate interest" was specifically provided for in Spanish or European Community law. As a result, companies had to rely on data subjects' consent as the way of carrying out the majority of the data processing in Spain.
The ECJ’s ruling may change this, although the actual impact of the decision is unclear. The ECJ concluded that the "legitimate interest" justification for the processing of personal data as set forth in the Data Protection Directive also should be available in Spain. However, the Spanish Data Protection Agency ("SDPA") issued a press release following the decision which stated that companies may not carry out processing of data exclusively based on their "legitimate interest," but will be required to balance both their "legitimate interest" and fundamental rights and freedoms of the data subjects involved in the data processing.
Based on the press release, it appears that the SDPA, at least at the beginning, will adopt a restrictive approach with respect the application of the "legitimate interest" justification, although it also is likely that the SDPA will have to revise some of its criteria for evaluating matters such as whistleblowing or geolocation services in which the Working Party 29 advocates for applying the "legitimate interest." We will keep you posted on developments.
The Ruling of the ECJ is published in English and can be found HERE
