Privacy & Information Security Law Blog

On April 25, 2013, the Federal Trade Commission released an updated version of its frequently asked questions regarding the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The revised FAQs, entitled Complying with COPPA: Frequently Asked Questions (A Guide for Business and Parents and Small Entity Compliance Guide), provide general information on COPPA’s requirements and also include new guidance on the recent amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).

On April 10, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) enacted two draft rules (“Provisions on the Protection of Personal Information of Telecommunications and Internet Users” and “Provisions on the Registration of Real Identity Information of Telephone Users”) to solicit public comments. The comment period is open until May 15, 2013. Both Drafts include proposals for substantial provisions on the protection of personal information and were enacted according to the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (issued by the Standing Committee in December 2012) and some other telecommunications rules.

On April 22, 2013, the higher administrative court of Schleswig issued two decisions rejecting an appeal by the data protection authority of Schleswig-Holstein (“Schleswig DPA”) that sought to challenge a lower court’s earlier rulings in Facebook’s favor.

On April 17, 2013, the Federal Trade Commission issued a press release seeking public input on “The Internet of Things” – the ability of numerous “everyday devices to communicate with each other and with people.” The FTC will accept comments through June 1, 2013, in advance of a public workshop to be held in Washington, D.C. on November 21, 2013.

On April 16, 2013, the Office of the President issued a Statement of Administration Policy that includes a threat to veto the U.S. House of Representatives’ Cyber Intelligence Sharing and Protection Act (“CISPA” or H.R. 624) if further changes are not made to the bill’s privacy protections. Specifically, the Obama Administration recommends that the bill require private entities to remove personal information when sharing cybersecurity information with the government or other private entities.

On April 12, 2013, the Department of Commerce’s International Trade Administration (“ITA”) issued a guidance document to clarify how the U.S.-European Union Safe Harbor Framework facilitates the transfer of personal data from the European Union to the United States in the cloud computing context. The document underscores that the U.S.- European Union Safe Harbor Framework is an officially recognized means of complying with the adequacy requirement of EU Data Protection Directive 95/46/EC. ITA has received a number of inquiries from Safe Harbor participants indicating that they (and their EU clients, customers and partners) have heard conflicting information and are unsure about how the Safe Harbor Framework may enable data transfers to cloud service providers in the United States.

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit held that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes. The law required nursing homes in Florida to provide the medical records of a deceased nursing home resident to the “spouse, guardian, surrogate, proxy, or attorney in fact,” including “medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature.”

As the number of security breach incidents and privacy violations continues to increase, so too has the volume of lawsuits—particularly class action lawsuits—seeking damages for actual and future harms resulting from unauthorized disclosures of personal information. Affected companies have looked to their traditional insurance coverage to defray costs associated with responding to these incidents and lawsuits, but standardized commercial general liability policies may not provide adequate coverage.

On April 10, 2013, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly adopted rules that require broker-dealers, mutual funds, investment advisers and certain other regulated entities to adopt programs designed to detect “red flags” and prevent identity theft. These rules implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, that amended the Fair Credit Reporting Act (“FCRA”) to direct the SEC and the CFTC to adopt rules requiring regulated entities to address risks of identity theft. The 2003 amendments to the FCRA required other regulatory authorities to issue identity theft red flags rules, but did not authorize or require the SEC or the CFTC to issue their own rules.

On April 2, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) that elaborates on the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Opinion analyzes the scope of this principle under the Data Protection Directive, clarifies its limits and makes recommendations to strengthen it in the proposed General Data Protection Regulation (the “Proposed Regulation”). It also focuses on how to apply this principle in the context of Big Data and open data.