Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Recording and Deck from Webinar: Update on New Russia Data Localization Law

Russian-ServersThank you to everyone who participated in the Hogan Lovells webinar “Russia Data Localization Update: New Details Emerge from Meetings with Russian Regulator” on 2 April 2015. This update follows an October 2014 presentation that outlined Russia’s newly enacted Data Localization Law. In this webinar, Hogan Lovells privacy and data protection attorneys Natalia Gulyaeva and Bret Cohen provided insight into the expectations of Russian regulators as the September 2015 implementation deadline approaches.

To access the a copy of the slide deck, click here.

To access the recorded webinar, click here (1 hr 17 mins — the webinar will start to play automatically).

Stay tuned to the blog for future updates on the law, including any future formal guidance from the Russian government.

Posted in Consumer Privacy, Privacy & Security Litigation

Court Allows FTC to Move Forward in “Common Carrier” Exemption Case

phone-shutterstock_74168194-250

Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.

Continue Reading

Posted in Consumer Privacy, International/EU Privacy

Canada’s Anti-Spam Law: First CASL Enforcement Action Brings $1.1 Million Penalty

anti spamEarlier this month, the Canadian Radio-television and Telecommunications Commission’s (“CRTC’s”) Chief Compliance and Enforcement Officer issued a Notice of Violation and $1.1 million penalty to Compu-Finder for four violations of the Canadian Anti-Spam Legislation (“CASL”).  Although Compu-Finder was apparently engaged in “flagrant” CASL violations, according to the Chief Compliance and Enforcement Officer, the CRTC also confirmed that it is assessing CASL complaints and that “a number of investigations are currently underway.”  Therefore, organizations engaging with individuals located in Canada should review their communications and marketing practices for compliance under CASL and other applicable law. Continue Reading

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Executive Order Authorizes Economic Sanctions as New Tool for U.S. Cyber Defense

500px-US-WhiteHouse-LogoOn 1 April 2015, President Obama signed an Executive Order (the Order) authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. The Treasury Department’s Office of Foreign Assets Control (OFAC) simultaneously released FAQs related to the Order. The White House, in a statement by President Obama and in FAQs on the White House Blog, explained that the Order will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.  Continue Reading

Posted in Cybersecurity & Data Breaches

Hogan Lovells’ IAPP Tracker Post Highlights Data Security and Breach Notification Legislation in Congress

congress-logo-315x314The following piece, written by the Hogan Lovells privacy team, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on March 31. The post, Data Security and Breach Notification Legislation Gaining Traction in Congress,  is reprinted in its entirety below with permission from the IAPP.

For more than a year now, we have been hearing that the spate of highly-publicized data breaches could lead to federal data security and data breach legislation. On March 25, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade took action that brings us closer to seeing that prediction become a reality. In this post, we take a closer look at the bipartisan legislation approved by the subcommittee—the Data Security and Breach Notification Act of 2015 (DSBN) — and discuss five key provisions that are likely to be at issue as the legislation moves forward. Continue Reading

Posted in International/EU Privacy

The Netherlands: New Rules for Cookies, Data Breaches and Fines

Netherlands FlagRecently, new rules on cookies (all links in Dutch) came into force in the Netherlands. In addition, the Dutch Second Chamber approved a draft bill to introduce a mandatory data breach notification requirement and to strengthen the Dutch Data Protection Authority’s investigative and fining powers. The new rules apply to all companies acting as a “data controller” within the meaning of the Dutch Data Protection Act. The Dutch First Chamber has announced that it plans to review this draft bill as soon as possible. Continue Reading

Posted in Consumer Privacy

U.S. FCC Decision Triggers Potential Sea Change in Broadband ISP Data Privacy and Security Requirements

FCC Logo

In its recent Open Internet Order (“Order”), the U.S. Federal Communications Commission (FCC) determined that broadband Internet access services are appropriately classified as common carrier “telecommunications services” under the Telecommunications Act of 1996.  In doing so, the agency established itself as the primary U.S. data privacy and security regulator for those services and triggered additional requirements under the Act.  It also promised a future rulemaking that could result in a sea change in how ISPs and their business partners interact with consumer data.  Although the decision is widely expected to be appealed in court, organizations operating across the broadband ecosystem would be prudent to assess the potential impact on their current and planned online service portfolio. Continue Reading

Posted in International/EU Privacy

Russia Data Localization Law Update and Webinar: New Details Emerge from Meetings with Russian Regulator

Russian-Servers

With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia.  Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law.  While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law. Continue Reading

Posted in Consumer Privacy, Cybersecurity & Data Breaches

IPTF Seeks Public Input on Key Cybersecurity Challenges Facing the Digital Economy

iptf_logosOn March 16, the U.S. Commerce Department’s Internet Policy Task Force (IPTF) published a Request for Public Comment for input on the key cybersecurity issues affecting the digital ecosystem and digital economic growth.  The IPTF aims to coordinate and facilitate consensus-based multistakeholder processes to generate collective guidance and identify best practices.  Through this effort, the IPTF seeks to broaden the focus of federal cybersecurity efforts beyond securing critical infrastructure.  A number of key cybersecurity challenges have been identified in the Request for Public Comment, and the IPTF is inviting commenters to highlight other topic areas that the IPTF should consider including as part of this process. Continue Reading

Posted in International/EU Privacy

Regulators Write to Manufacturers to Highlight Concerns Over Connected Devices

IoT-cloud-lockThe UK and Canadian data protection regulators have written to webcam manufacturers to highlight concerns about the safety of internet-connected devices and to enlist their assistance in reducing the risks posed by their products.  In particular, the regulators call for manufacturers to roll out privacy-friendly default settings, implement “privacy by design” – whereby data protection and privacy considerations are built into the design and manufacturing process – and provide increased guidance to consumers about ensuring the security of devices.  Continue Reading