Privacy & Information Security Law Blog

On September 22, 2011, new provisions under the French Data Protection Authority’s (“CNIL’s”) internal regulation (Délibération n°2011-249 du 8 septembre 2011) came into force. The CNIL recently amended its regulations to incorporate a new chapter (Chapter IV bis) that sets forth a specific procedure for issuing privacy seals in accordance with the French Data Protection Act. The Act authorizes the CNIL to “issue a quality label to products or procedures intended to protect individuals with respect to processing of personal data, once [the CNIL] has recognized them as in compliance with the provisions of the Act.”

On September 27, 2011, OnStar announced it was reversing proposed changes to its Terms and Conditions that would have allowed the company to continue to receive data from former subscribers’ vehicles unless they specifically opted out.  OnStar’s current Privacy Statement indicates that the GM subsidiary collects information regarding its customers’ vehicle operation, location, approximate speed, collision data and safety belt usage in connection with OnStar’s in-vehicle GPS navigation and emergency response services, and that the company “may share or sell” any of this data in anonymized form with third parties.  OnStar recently notified customers by email that it would continue to collect data from former subscribers, and that it reserved the right to distribute such data to third parties.  The announcement prompted a swift and strong reaction from members of Congress skeptical of the proposed policy changes.

On September 28, 2011, a federal court in Illinois held that West Publishing Company (“West”) had not violated the Driver’s Privacy Protection Act (“DPPA”) by reselling driver’s license information obtained from state DMVs.  The court held that (1) the DPPA creates a federal private right of action permitting individuals like the plaintiffs to bring their class action suit, but (2) the lower court’s dismissal for failure to state a claim was proper.

On Tuesday, September 27, 2011, the European Privacy Officers Forum (“EPOF”) celebrated its 10th anniversary with a gala reception at the BELvue Museum in Brussels. EPOF is composed of EU-based data protection compliance officers and internal legal counsel from over 30 multinational companies and public-sector institutions who meet three times a year in Brussels to exchange ideas and to hear presentations by data protection authorities and other government representatives. The gala, which was attended by approximately 100 people, featured opening remarks from Peter Hustinx, European Data Protection Supervisor, the Honorable William E. Kennard, U.S. Ambassador to the EU, and Paul Nemitz, Director of Fundamental Rights and Citizenship of the European Commission.

Hunton & Williams announces that Rosemary Jay, formerly head of the privacy practice at Pinsent Masons and the former head of the legal team at the UK Information Commissioner’s Office, will join the firm’s Privacy and Data Security practice in October.  Ms. Jay will be based in the firm’s London office.  As a senior lawyer, Ms. Jay will bring more than 20 years of data protection experience to Hunton & Williams, enhancing both the firm’s renowned privacy practice and its Centre for Information Policy Leadership.  

On September 22, 2011, the Senate Judiciary Committee approved three separate bills that would establish a national data breach notification standard.  Because the bills were approved on a party-line vote, and several other data breach bills currently are under consideration by other Senate committees, the prospects for these three bills in the full Senate are uncertain.

On September 19, 2011, Privacy Piracy host Mari Frank interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California.  In the interview, Ms. Sotto discussed critical current privacy and data security issues, including lessons learned from the recent data breaches, the regulatory framework in the U.S. and EU, and expected legislative changes in the privacy arena globally.

Listen to the Privacy Piracy interview.

On September 21, 2011, the board of the French Data Protection Authority (the “CNIL”) elected Isabelle Falque-Pierrotin as its new Chair, following Alex Türk’s resignation which he officially tendered at the board meeting.

On June 17, 2011, the National Assembly of the Republic of Angola passed Law 22/11 on Personal Data Protection.  The omnibus privacy legislation applies to the automated and non-automated processing of personal data by controllers based or operating in Angola, or subject to, or using equipment governed by, Angola’s laws.  Some highlights of the law are listed below.

On September 15, 2011, the Federal Trade Commission released proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”).  These revisions follow the FTC’s review of the COPPA Rule, which resulted in numerous comments from various groups and individuals, as well as a public round table that took place on June 2, 2010.  The proposed amendments reflect the FTC’s commitment to “helping to create a safer, more secure online experience for children” in the face of rapid technological change.