Privacy & Information Security Law Blog

On July 16, 2014, the Federal Trade Commission posted revisions to its Frequently Asked Questions that provide guidance on complying with the Children’s Online Privacy Protection Rule (the “COPPA Rule”). The revisions, which are in Section H of the FAQs, address the COPPA Rule requirement that operators of certain websites and online services obtain a parent’s consent before collecting personal information online from a child under the age of 13.

On July 17, 2014, the Belgian government announced that it has finalized its Royal Decree on the establishment of a Cybersecurity Center (Centrum Cyber Security België or Centre Cyber Security Belgique). The Cybersecurity Center’s tasks would be to monitor the country’s cybersecurity and manage cyber incidents. It also would oversee various cybersecurity projects, formulate legislative proposals relating to cybersecurity, and issue standards and guidelines for securing public sector IT systems. The Cybersecurity Center is expected to be operational by the end of ...

On July 15, 2014, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2013/14 (the “Report”). Entitled Effective, Efficient - and Busier than Ever, the Report illustrates the rapid growth of data protection and freedom of information issues in the UK in the past year. It highlights the fact that the ICO has received increasing numbers of questions and complaints from members of the public, processed record numbers of cases, and issued its highest ever level of fines, totaling almost £1.97 million. The Report also emphasizes the fact that the ICO’s resources are stretched and, in a direct appeal to both the UK Parliament and the Ministry of Justice, calls for “stronger powers, a more sustainable funding system, and a clearer guarantee of independence.”

On July 10, 2014, the UK government announced plans to introduce emergency data retention rules, publishing the Data Retention and Investigatory Powers Bill (the “Bill”) along with explanatory notes and draft regulations. The publication of the Bill follows the European Court of Justice’s April 2014 declaration that the EU Data Retention Directive (the “Directive”) is invalid. Under the Directive, EU Member States were able to require communications service provides (e.g., ISPs) to retain communications data relating to their subscribers for up to 12 months.

On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.

On July 10, 2014, the Federal Trade Commission announced that it filed a complaint against Amazon.com, Inc. (“Amazon”) for failing to obtain the consent of parents or other account holders prior to billing them for in-app charges incurred by children. According to the complaint, Amazon, which offers children’s apps through its Appstore, bills Amazon account holders in real money for virtual items that children obtain within an app (i.e., “in-app” charges).

On June 20, 2014, Florida Governor Rick Scott signed a bill into law that repeals and replaces the state’s existing breach notification statute with a similar law entitled the Florida Information Protection Act (Section 501.171 of the Florida Statutes) (the “Act”).

Hunton & Williams, in collaboration with the U.S. Chamber of Commerce, recently issued Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, a report which highlights the benefits of cross-border data transfers to businesses in the international marketplace. The report underscores the importance of developing data transfer mechanisms that protect privacy and facilitate the free-flow of data, and also explores opportunities for new data transfer regimes.

Last week, the Russian Parliament adopted a bill amending portions of Russia’s existing legislation on privacy, information technology and data protection. Among other provisions, the law would create a “data localization” obligation for companies engaged in the transmission or recording of electronic communications over the Internet. Such companies would be required to store copies of the data for a minimum of six months in databases that must be located within the Russian Federation. The new bill also would empower the Russian data protection authority to block public Internet access to any service that does not comply with this requirement.

On July 2, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) held a public meeting to finalize the release of a report concluding that the National Security Agency’s (“NSA’s”) collection of electronic communications from targets reasonably believed to be non-U.S. persons located outside the United States has operated lawfully within its statutory limitations.