The conditions for transborder data flows may become more uniform in the EU under the proposed Data Protection Regulation, but restrictions on foreign data transfers are now appearing in new data privacy laws and regulations in several regions of the world, posing global compliance challenges.
As 2011 is coming to a close, many of us are thinking about what 2012 will bring. With regard to privacy, there are numerous key issues to choose from (and I am sure many privacy professionals would add to this list) - but from a corporate compliance standpoint, here are my top five picks for hot topics to address in 2012:
Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that new regulations and orders introduced by Israel's Ministers Committee for Biometric Applications set the ground for a two-year biometric IDs issuance trial period. The Ministry of Home Affairs is making final preparations to start issuing the IDs that will contain encoded fingerprints and facial image, and will be stored in a national database. A campaign led by privacy activists against the controversial biometric database has failed to yield a positive result so far.
It is being reported that Moscow prosecutors conducted an investigation into whether several websites that were involved in data breaches earlier this year violated the country's data protection law. As a result of the breaches, names, contact information and order histories of Internet magazine subscribers (including adult-themed publications) became available on Internet search engines, including Russian-language Yandex. Without naming the websites, the report states that the prosecutors have filed administrative charges against two Internet magazines as a result of the investigation.
On July 20, 2011, the U.S. House of Representatives Energy and Commerce Committee's Trade Subcommittee approved the Secure and Fortify Electronic Data Act (the "SAFE Data Act"). The Act would require any business that maintains personal information to implement an information security program and notify affected individuals in the event of an information security breach. The SAFE Data Act would preempt the over 45 existing state information security and breach notification laws and task the Federal Trade Commission with developing information security rules implementing the Act.
Last week, the upper house of Russia's federal legislature approved amendments to the country's federal data protection law. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute's data subject consent provisions.The amended law will come into force when it is published in the official newsletter.
The Federal Trade Commission announced today that Teletrack, Inc. has agreed to pay $1.8 million to settle charges that the company sold credit reports for marketing purposes, in violation of the Fair Credit Reporting Act (FCRA). According to the FTC's complaint, Teletrack sells credit reports and other services to businesses that mainly serve financially distressed consumers. Teletrack's business customers include pay day lenders, rental purchase stores and non-prime rate auto lenders. These businesses use Teletrack's credit reports to decide whether and on what terms to extend credit to their customers.
On May 16, 2011, EU's Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services.WP29 is comprised of representatives from the EU member states' data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. WP29's mandate includes (i) giving expert advice to the EU member states regarding the implementation of European data protection directives, and (ii) promoting uniform implementation of the directives in all EU state members as well as in Norway, Liechtenstein and Iceland. WP29's opinions, therefore, carry significant weight in the interpretation and enforcement of data protection laws by European DPAs. Not surprisingly, WP29 has concluded that geolocation data is "personal data" subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. Below are the highlights of the opinion.
Mr. Kwang Hyun Ryoo, a partner at the Korean law firm of Bae, Kim & Lee LLC, is reporting in the firm's newsletter that on March 29, 2011, Korea enacted a comprehensive personal data protection law, entitled Personal Information Protection Act (PIPA). Most of the act's provisions will come into force on September 30, 2011.
On May 12, 2011, the Federal Trade Commission announced that the operators of 20 online virtual worlds have agreed to pay $3 million to settle charges that they violated the Children's Online Privacy Protection (COPPA) Rule by collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents' prior consent. The FTC noted that this settlement is the largest civil penalty for a violation of the FTC's COPPA Rule.
On May 10, 2011, the Senate Subcommittee on Privacy, Technology and the Law held a hearing on mobile privacy. We covered the hearing in detail on our blog. Yesterday, InfoLawGroup partner Boris Segalis spoke with Fox Live's Tracy Byrnes about the balance between business and consumer interests that mobile privacy implicates.The clip from the interview is available on Fox at http://video.foxnews.com/v/4689248/the-congressional-mobile-privacy-hearing/?playlist_id=86861
As we have reported previously on our blog, federal agencies, including the FTC, NLRB and EEOC have been very active in taking action against privacy and information security violations. This trend continues with the Securities and Exchange Commission's (SEC's) recent announcement of a settlement with three former executives a brokerage firm (GunnAllen Financial, Inc.). The SEC alleged that the former executives violated the Commission's Privacy Rule and Safeguards Rule (Regulation S-P) and aided and abetted the firm in violating these rules. This enforcement action marks the first time the SEC assessed financial penalties against individuals charged solely with violating Regulation S-P.
The Google Buzz settlement that the Federal Trade Commission announced on March 30, 2011 is the latest in the line of the Commission's numerous Section 5 actions related to privacy and data security violations. The Google Buzz settlement, however, is unique in several important ways. The settlement represents (i) the first FTC settlement order has requires a company to implement a comprehensive privacy program to protect the privacy of consumers' information, and (ii) the Commission's first substantive U.S.-EU Safe Harbor framework enforcement action. Let's dive in (make sure to read the "Action Item" at the conclusion of the post!).