Privacy & Information Security Law Blog

As reported by Kwang Hyun Ryoo and Ji Yeon Park of Bae, Kim & Lee LLC in Korea, on May 24, 2011, the government of South Korea published draft regulations to the Personal Information Protection Act (“PIPA”), the Republic’s new omnibus data protection law.

As we previously reported, PIPA was enacted on March 29, 2011, after past privacy legislation had languished in the Korean Parliament.  The recently published regulations (an Enforcement Decree and Enforcement Regulations) apply to any “handler of personal information” or “data handler,” which is any entity that uses personal information for business purposes.

The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009.  The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.

On May 27, 2011, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking regarding the HIPAA Privacy Rule provision that requires covered entities to provide an accounting of disclosures of protected health information (“PHI”) to individuals upon request.  The proposed rule revises existing HIPAA Privacy Rule provisions regarding an accounting of disclosures and also gives individuals a new right to obtain an “access report” about which specific individuals have accessed electronic PHI in a designated record set.  The proposed rule also requires covered entities to modify their privacy notices to include that individuals have the right to obtain an access report from the covered entities.

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

According to a complaint submitted to the Federal Trade Commission on May 11, 2011, the popular cloud-based data storage provider Dropbox, Inc. made false claims about the security of its users’ data, thereby putting them at risk while gaining an unfair advantage over competitors that actually offer the sort of security Dropbox advertised.  The Dropbox service allows users to create folders on their computers that automatically sync with corresponding folders on Dropbox’s servers.  Users can specify whether their folders are public or private.  The allegations concern the folders designated as private, which are touted as being protected by encryption.  According to the complaint, which was filed by Christopher Soghoian (a security researcher and former technologist at the FTC’s Division of Privacy and Identity Protection), although Dropbox represented that its encryption features would render a user’s files completely inaccessible to any person other than the user, in fact, Dropbox employees maintained copies of the encryption keys and could therefore access the contents of users’ files.  This left Dropbox users’ files susceptible to unauthorized access (e.g., governmental demands for data, hacking attacks, rogue insiders).

On May 11, 2011, in Thomas Robins v. Spokeo, Inc., the United States District Court for the Central District of California granted in part and denied in part defendant Spokeo, Inc.’s motion to dismiss claims that it violated the Fair Credit Reporting Act (“FCRA”).  The ruling allows the plaintiff to continue his action against Spokeo, a website that aggregates data about individuals from both online and offline sources.

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

On May 16, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on geolocation services on smart mobile devices (the “Opinion”).  The Opinion clarifies the legal framework and obligations applicable to geolocation services such as maps and navigation tools, geo-personalized services, geotagging of content on the Internet, child control and location-based advertising.

As we reported last week, on May 12, 2011, the Obama administration announced a comprehensive cybersecurity legislative proposal in a letter to Congress.  The proposal, which is the culmination of two years of work by an interagency team made up of representatives from multiple departments and agencies, aims to improve the nation’s cybersecurity and protect critical infrastructure.  If enacted, this legislation will affect many government and private-sector owners and operators of cyber systems, including all critical infrastructure, such as energy, financial systems, manufacturing, communications and transportation.  In addition, the proposal includes a wide-reaching data breach notification law that is intended generally to preempt the existing state breach laws in 46 states plus Washington, D.C., Puerto Rico and the U.S. Virgin Islands.

On April 11, 2011, India adopted new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”).  The Rules are final versions of the draft regulations issued in February 2011 and impose wide-ranging obligations on any “body corporate” (company) that “collects, receives, possesses, stores, deals or handles” personal information.  These obligations require companies to provide privacy policies, restrict the processing of sensitive personal data, restrict international data transfers and require additional security measures.  The Rules introduce an omnibus privacy law that is similar in many respects to existing EU data protection law, but which raises some fundamental challenges for India’s numerous outsourcing vendors, and their customers.