Privacy & Information Security Law Blog

Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.

On October 10-12, 2011, the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg, France, to discuss, among other things, amending the Council of Europe’s Convention 108 and Additional Protocol. Convention 108 (together with the Protocol), which underlies the European Union’s legal framework for data protection, is the only legally-binding international convention that addresses data protection. Amendment of the Convention is also closely linked to the current review of the EU data protection framework.

On October 17, 2011, the French Data Protection Authority (the “CNIL”) launched a public consultation on cloud computing (the “Consultation”). The Consultation seeks to gather opinions from stakeholders (clients, providers, consultants) regarding cloud computing services for businesses, to identify legal and technical solutions that address data protection concerns while taking into account the economic interests involved.

On October 10, 2011, the French Data Protection Authority (the “CNIL”) released a video of newly-elected Chairwoman Isabelle Falque-Pierrotin presenting her priorities and vision for the future of the CNIL. Ms. Falque-Pierrotin was elected as the new Chair of the CNIL on September 21, 2011.

On September 7, 2011, the United Kingdom Information Tribunal published a decision that appears to resolve the long-running uncertainty regarding the extent to which anonymized personal information may be disclosed under the UK’s Freedom of Information legislation. The UK’s FOIA was introduced and applicable to most of the UK in 2000, with equivalent law following for Scotland in 2002.

On October 13, 2011, Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, presented “Accountability in a Page” as part of the “What it Means to Be Accountable” plenary session at the PIPA Conference 2011 taking place in Vancouver, British Columbia. Mr. Abrams, who leads the Centre’s Accountability Project, outlined the essential elements of accountability and described how top multinational companies are building accountability-based programs. According to Mr. Abrams, “accountability as mandated by the Canadian ...

On September 23, 2011, the Labor Chamber of the Court of Appeals of Caen (the “Court”) upheld a decision to suspend a whistleblower program implemented by a U.S. company’s French affiliate, despite the fact that the French Data Protection Authority (the “CNIL”) had inspected and approved the program prior to implementation. This decision follows recent amendments to the legal framework for whistleblower programs in France.

On September 13, 2011, the Singapore Ministry of Information, Communications and the Arts (the “Ministry”) published a Proposed Consumer Data Protection Regime for Singapore, outlining possible ideas for a data privacy framework and soliciting comments from the public. A few of the suggestions from the Ministry’s proposal that appear most likely to be reflected in a final data privacy law are outlined below.

On October 7, 2011, the Constitutional Court of Colombia approved a landmark omnibus data protection law.  According to its press release, the Court approved almost all provisions in the legislation, known as Ley estatutaria No. 184/ 10 Senado, 046/10 Cámara, but it took issue with Article 27 (which addresses the government’s processing of certain data), Article 29 (which addresses the expunging of certain criminal records) and Articles 30 and 31 (which both address intelligence and counterintelligence databases).  Many of the remaining provisions reflect a strong European influence.  Some highlights include:

• With certain exceptions, the law prohibits the processing of personal data without the data subject’s prior consent.  When the personal data are sensitive data (e.g., health data), the consent must take the form of an explicit authorization.
• The law permits cross-border transfers of personal data to countries that lack adequate data protection laws only in specified circumstances, such as (1) when the data subject has given express and unequivocal consent for the transfer (2) the transfer is necessary for the performance of a contract between the data subject and the data controller, or (3) with the approval of the Superintendence of Industry and Commerce.
• The processing of children’s personal data is generally prohibited.
• Data subjects have access rights.

On September 29, 2011, the German federal and state data protection authorities (“DPAs”) issued a resolution on cloud computing and compliance with data protection law. The publication was released in conjunction with the DPAs’ 82nd annual conference.