On November 19, 2013 the Federal Trade Commission will hold its first ever workshop on the Internet of Things. The Workshop does not aim to debate regulation or codes of conduct, but is rather a fact finding mission aimed at uncovering the privacy and security concerns inherent in the Internet of Things, where a range of devices collect and communicate personal information perpetually. Continue Reading
On October 25, 2013, the Standing Committee of China’s National People’s Congress passed an amendment (in Chinese) (the “Amendment”) to the 1993 Law of Protection of Consumer Rights and Interests (the “Consumer Protection Law”), which addresses longstanding issues related to e-commerce fraud and illegal disclosures of consumers’ personal information. The Amendment, which takes effect on March 15, 2014, reforms China’s 20-year-old consumer protection law by providing more robust protections to consumers, including provisions that restrict the collection, use, and disclosure of consumers’ personal information and require consent to send commercial communications. Continue Reading
California recently passed a law updating its breach notification requirements and making it the first state to expand the definition of personal information to expressly include login credentials for online accounts.
The California legislature passed Senate Bill (S.B.) 46 in early September 2013 and the Governor signed it into law on September 27. S.B. 46 amends the text of California Civil Code Section 1798.82, the existing data breach notification law applicable to private businesses and a companion provision, California Civil Code Section 1798.82, applicable to government agencies. These were the first such laws in the United States (in effect since July 1, 2003). California has previously amended these laws to address issues such as expanding the definition of personal information to include medical and health insurance information and to require Attorney General notice for breaches affecting more than 500 California residents. The latest amendments become effective as of January 1, 2014. Continue Reading
The National Institute of Standards and Technology (NIST) has published its Preliminary Cybersecurity Framework pursuant to Executive Order 13636 on Improving Critical Infrastructure Cybersecurity. The Executive Order further directs NIST to include “methodologies . . . to protect individual privacy and civil liberties,” which NIST has done by including a draft Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program (Privacy Methodology) in Appendix B of the Preliminary Cybersecurity Framework.
To read “What Privacy Professionals Should Know About the NIST Cybersecurity Framework,” click here.
The Spanish Data Protection Agency has published its annual report for 2012 (“Memoria 2012“, in Spanish). The report contains a detailed description of the activities undertaken by the Spanish DPA in 2012, together with its view of the latest trends and challenges related to data protection.
Among the highlights of the report: Continue Reading
On October 22, the FTC announced a settlement with national “rent-to-own” retailer Aaron’s, Inc. on charges that it knowingly assisted its franchisees in tacitly collecting images and information about their customers. Specifically, the FTC alleges that Aaron’s “played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.” Aaron’s is a national “rent-to-own” retailer of consumer electronics, residential furniture, and household appliances that allows companies to rent products with an option to purchase them. Continue Reading
On 16 October 2013, the Polish Ministry of Economy published draft amendments to Poland’s data protection law, the Polish Act of 29 August 1997 on the Protection of Personal Data (“PPD”), aimed at easing administrative obligations regarding the compulsory hiring of data protection officers and registration of data filing systems with the Polish Data Protection Authority (“DPA”). Under the proposed legislation, companies would have the flexibility to decide whether to appoint an administrator of information security (“AIS”), currently a legal requirement. A data controller regulated under the PPD would be able to strategically choose whether to appoint an AIS, a move that would increase its compliance obligations and the company’s visibility to regulators in return for reduced external filing obligations.
Class action litigation challenging the practice of merchants that ask customers to provide their ZIP codes has expanded into the District of Columbia. In a suit filed earlier this year, plaintiffs alleged that retailers in the District of Columbia violated a law prohibiting the collection of addresses or telephone numbers incident to in-person credit card transactions when the retailers asked the plaintiffs to provide their ZIP codes at the point of sale. The suit represents an important new front in ZIP code litigation, which previously had been concentrated in California and Massachusetts, and has important implications for the ability of plaintiffs to establish standing in privacy-related actions more generally.
For a detailed analysis of the case and its implications for the spread of class action litigation, click here for an InsideCounsel article authored by Hogan Lovells attorneys Des Hogan and Adam Cooke.
On October 22, NIST released the official Preliminary Cybersecurity Framework under development pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. A formal 45-day comment period will begin once the Preliminary Cybersecurity Framework is published in the Federal Register, which is expected next week. NIST remains on track to meet the Executive Order’s February 2014 deadline for issuance of the final Cybersecurity Framework. NIST officials (including Director Patrick Gallagher) spoke with reporters today regarding the release of the Preliminary Cybersecurity Framework, in which NIST officials discussed the release and answered various questions. Continue Reading
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections. Continue Reading