Privacy & Information Security Law Blog

On December 1, 2011, a consolidated litigation against Netflix was ordered to private mediation pursuant to an agreement between the parties. As we previously reported, the plaintiffs allege that Netflix’s practice of maintaining customer movie rental history and recommendations after their subscriptions are cancelled violates the federal Video Privacy Protection Act (“VPPA”). In August 2011, several similar cases against Netflix were consolidated by a federal court in California.

News of the mediation order comes as a significant amendment to the VPPA awaits Senate ...

As reported in the Hunton Employment & Labor Perspectives Blog:

The U.S. Department of Justice has moved to intervene to defend the constitutionality of the Fair Credit Reporting Act (“FCRA”) against a consumer reporting agency accused of violating § 605 of the FCRA.

On November 23, 2010, Shamara T. King filed suit against General Information Services, Inc. (“GIS”) in Pennsylvania federal court claiming violations of the FCRA. (See, King v. General Information Services, Inc., No. 2:10-CV-06850 (E.D. Pa. Nov. 23, 2010). Specifically, King claims that when she applied for a job with the United States Postal Service, GIS performed a background check that included details about a car theft arrest that occurred more than seven years prior to the requested background check. According to § 605(a)(5) of the FCRA, consumer reporting agencies cannot provide adverse information, except for criminal convictions, “which antedates the report by more than seven years.”

Shortly before Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, gave her keynote address on binding corporate rules (“BCRs”) at the IAPP Europe Data Protection Congress in Paris, Hunton & Williams co-authored two articles on BCRs with the French Data Protection Authority (“CNIL”):

In early December 2011, drafts of two legal instruments prepared by DG Justice of the European Commission to reform the EU data protection framework entered interservice consultation. This process will give other Directorates-General of the Commission the opportunity to comment on the drafts before they are formally released as legislative proposals; accordingly, changes to the drafts are likely. Following this comment period, the drafts will enter the EU legislative process, which is likely to take at least two to three years before they become law. It is believed that Justice Commissioner and Commission Vice-President Viviane Reding will formally announce final versions of the drafts at an appearance at the World Economic Forum in late January 2012.

On November 29, 2011, the Federal Trade Commission announced that Facebook has settled charges that it deceived consumers by making false privacy promises. The settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information (2) obtain users’ “affirmative express consent” before sharing their information with any third party that “materially exceeds the restrictions imposed by a user’s privacy setting(s),” (3) implement procedures to prevent a third party from accessing users’ information no later than 30 days after the user has deleted such information or terminated his or her account, (4) establish, implement and maintain a comprehensive privacy program, and (5) obtain initial and biennial assessments and reports regarding its privacy practices for the next 20 years.

Lithuanian firm LAWIN Lideika, Petrauskas, Valiūnas ir partneriai reports that recent amendments to Lithuania’s Law on Legal Protection of Personal Data and the Law on Electronic Communications have established a breach notification requirement. Specifically, providers of publicly-available electronic communications services or of public communications networks must notify the data protection authority of data security breaches, and, when the breach is likely to have an adverse effect on the privacy of affected individuals, the data controller also may be required ...

On November 29, 2011, at the International Association of Privacy Professionals (“IAPP”) Europe Data Protection Congress in Paris, France, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, provided insight into details of the proposals for the revised EU data protection framework. She focused explicitly on solutions for international data transfers, promoting Binding Corporate Rules ("BCRs") as a solution that can offer a simplified, yet comprehensive, structure for safeguarding international flows of data. Commissioner Reding referred to BCRs as offering the possibility of consistent enforcement and legal certainty, without stifling innovation.

On November 17, 2011, the German Association for Data Protection and Data Security (“GDD”) held its 35th Privacy Conference (“DAFTA”) in Cologne, Germany. At the opening plenary session, Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.

On November 16, 2011, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2010 (the “Report”) highlighting its main 2010 accomplishments and outlining some of its priorities for the upcoming year. This year’s Report covers events that occurred since last year’s publication of the Annual Activity Report for 2009.

On November 3, 2011, the Labor Chamber of the French Court of Cassation (the “Court”) upheld a decision against a company that unlawfully used a geolocation device to track the company car of one of its salesmen. Although the company notified the salesman that a geolocation device would be used to optimize productivity by analyzing the time he spent on business trips, the device was in fact used to monitor his working hours, which ultimately led to a pay cut.