Privacy & Information Security Law Blog

Over the past several weeks, online tracking practices involving the use of Flash cookies and ETags have been the subject of new research studies, class action lawsuits and significant media attention.

On September 6, 2011, Lisa J. Sotto, partner and head of Hunton & Williams’ Privacy and Data Security practice, discussed why companies and individuals should be concerned about protecting their personal information in an interview with FoxNews.com.

View the video of Lisa’s interview with Kimberly Guilfoyle.

On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information.  Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.

As reported in the Hunton Employment & Labor Perspectives Blog, on August 18, 2011, the National Labor Relations Board’s Acting General Counsel issued a report discussing fourteen social media cases recently decided by the Board.  The cases highlighted in the report offer insight regarding how the NLRB will handle various social media issues in the future.

Read the full post, which provides an overview of several of the cases highlighted in the NLRB’s report.

On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute.  The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians.  Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002.  The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.

On August 5, 2011, the Beijing Second Intermediate People’s Court announced its decision in what is reported to be the largest criminal case to date involving the misuse of personal information in Beijing, China.  The Court based its ruling on Article 7 of the Seventh Amendment to the Criminal Law, which applies to three types of criminal activities: (1) illegal sale of citizens’ personal information, (2) illegal provision of citizens’ personal information, and (3) illegal access to citizens’ personal information.

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  In particular, the Ordinance introduces new provisions under the French Data Protection Act, which impose an obligation on electronic communication service providers to provide notice in the event of a data security breach. 

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  Specifically, the Ordinance amends the existing legal framework concerning cookies and introduces an opt-in regime for the use of cookies.

On August 19, 2011, the Data Protection Commissioner’s Office of the German federal state of Schleswig-Holstein (“ULD”) ordered all businesses in that state “to shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’-button from their websites.”  Although this warning is specific to Facebook users, the regulator’s explanation of its motives reveals a fundamental concern about common data analytics practices:

“By using the Facebook service traffic and content data are transferred into the USA and a qualified feedback is sent back to the website owner concerning the web page usage, the so called web analytics (Ger.: Reichweitenanalyse).  Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years.  Facebook builds a broad individual and for members even a personalised profile.  Such a profiling infringes German and European data protection law.  There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use.”

On July 13, 2011, the Belgian Privacy Commission (the “Belgian DPA”) signed a Protocol with the Ministry of Justice which significantly simplifies the authorization procedure for binding corporate rules (“BCRs”) under Belgian law.  The Protocol was just made public on the Belgian DPA's website.