Privacy & Information Security Law Blog

On May 13, 2015, the Belgian Data Protection Authority (the “DPA”) published a recommendation addressing the use of social plug-ins associated with Facebook and its services (the “Recommendation”). The Recommendation stems from the recent discussions between the DPA and Facebook regarding Facebook’s privacy policy and the tracking of individuals’ Internet activities.

On May 7, 2015, the Digital Advertising Alliance (“DAA”) announced that, as of September 1, 2015, the Council of Better Business Bureaus and the Direct Marketing Association will begin to enforce the DAA Self-Regulatory Principles for Online Behavioral Advertising and the Multi-Site Data Principles (collectively, the “Self-Regulatory Principles”) in the mobile environment.

On May 5, 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”), in coordination with the U.S. Attorney’s Office for the Northern District of California (“USAO”), announced a civil monetary penalty of $700,000 against Ripple Labs, Inc. (“Ripple Labs”) and its subsidiary XRP II, LLC (“XRP II”) for violations of the Bank Secrecy Act (“BSA”). This assessment represents the first BSA enforcement action against a virtual currency exchanger by FinCEN. The fine coincides with a settlement agreement between Ripple Labs, XRP II and the USAO to resolve any criminal and civil liability arising out of these activities, the terms of which include a $450,000 forfeiture and full cooperation by Ripple Labs in the ongoing investigation.

On May 11, 2015, the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (”ICO”) announced that they will participate in a coordinated online audit to assess whether websites and apps that are directed toward children, and those that are frequently used by or popular among children, comply with global privacy laws. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

On May 5, 2015, the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) filed comments in English and Portuguese on Brazil’s draft law “on the processing of personal data to protect the personality and dignity of natural persons” (the “Draft Law”).

On May 7, 2015, the U.S. Court of Appeals for the Second Circuit sided with the American Civil Liberties Union, holding that the National Security Agency’s (“NSA’s”) collection of metadata relating to domestic phone records is not permitted under the PATRIOT Act. This ruling overturns a December 2013 Southern District of New York decision finding that the NSA’s telephone data collection program is lawful under Section 215 of the PATRIOT Act. The Second Circuit did not issue a preliminary injunction to stop the program or address questions as to whether the program is ...

On April 28, 2015, the Florida House of Representatives passed a bill (SB 766) that prohibits businesses and government agencies from using drones to conduct surveillance by capturing images of private real property or individuals on such property without valid written consent under circumstances where a reasonable expectation of privacy exists.

Hunton & Williams’ EU Privacy and Cybersecurity practice lawyers recently authored The Proposed EU General Data Protection Regulation – A guide for in-house lawyers (the “Guide”), addressing the key impacts of the forthcoming changes to EU data protection law. Current EU data protection law is based on the EU Data Protection Directive 95/46/EC (the “Directive”), which was introduced in 1995. An updated and more harmonized data protection law, in the form of a Regulation, has been proposed by the EU’s legislative bodies to replace the Directive. The Guide is intended to assist in-house lawyers in understanding the likely impact of the Regulation on businesses. While still under negotiation, the Regulation will significantly change the landscape of EU privacy and data protection in several key areas, including:

Last week, the Cybersecurity Unit of the U.S. Department of Justice (the “Justice Department”) released a guidance document, entitled Best Practices for Victim Response and Reporting of Cyber Incidents (“Guidance”), discussing best practices for cyber incident response preparedness based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The Guidance is intended to assist organizations with preparing to respond to a cyber incident, and emphasizes that that the best time to plan a cyber response strategy is before an incident occurs. The Justice Department drafted the Guidance with smaller, less-experienced organizations in mind, but also believes that larger organizations may benefit from its summary of best practices.

The Department of Health and Human Services (“HHS”) recently announced a resolution agreement and $125,000 settlement with Cornell Prescription Pharmacy (“Cornell”) in connection with the disposal of prescription records in an unsecured dumpster on Cornell’s premises. After receiving a report from a Denver television station regarding Cornell’s disposal practices, the HHS’ Office for Civil Rights (“OCR”) investigated Cornell and found several HIPAA Privacy Rule violations, including that Cornell had failed to: