Privacy & Information Security Law Blog

On April 1, 2011, Epsilon Data Management, LLC (“Epsilon”), a leading marketing services provider based in Irving, Texas, issued a press release announcing that its clients’ customer data had been “exposed by an unauthorized entry into Epsilon’s email system” that took place on March 30, 2011.  In the press release, Epsilon indicated that the information acquired as a result of the incident was limited to email addresses and customer names.  Several major retailers, credit card issuers, financial institutions and other companies that use Epsilon as a service provider ...

Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (the “IFAI”) will issue the first set of regulations implementing Mexico's new private sector data protection law the week of April 11, 2011.  These first regulations will cover the legal requirements to provide privacy notices to consumers and to appoint a designated privacy official, which go into effect in July 2011.  The two agencies want to ensure that the private sector has adequate time to prepare appropriate privacy notices prior to the July effective date.  The balance of the law, granting individual participation rights to consumers, becomes effective in January 2012.

As reported in BNA’s Privacy Law Watch, on March 29, 2011, South Korea’s president approved the Act on the Protection of Personal Data.  This comprehensive privacy law will require nearly all businesses and government agencies to provide data breach protection, mandate the use of privacy assessments before establishing certain new databases, and establish a right to file class actions in court over alleged violations of the law.  The implementing rules will be worked out before the law is due to take effect on September 30, 2011.  South Korea first attempted to enact a comprehensive privacy law in 2004; however, for the past seven years, omnibus privacy bills sponsored by the government and lawmakers have stalled in Parliament.

As reported in BNA’s Privacy Law Watch, on April 1, 2011, a New York law went in effect requiring manufacturers of certain electronic equipment, including devices that have hard drives capable of storing personal information or other confidential data, to register with the Department of Environmental Conservation and maintain an electronic waste acceptance program.  The program must include convenient methods for consumers to return electronic waste to the manufacturer and instructions on how consumers can destroy data on the devices before recycling or disposing of them.  Retailers of covered electronic equipment will be required to provide consumers with information at the point of sale about opportunities offered by manufacturers for the return of electronic waste, to the extent they have been provided such information by the manufacturer.

A new French law containing several key amendments to the French Data Protection Act and creating a new public authority referred to as the “Defender of Rights” (Loi n°2011-334 du 29 mars 2011 relative au Défenseur des droits, or the “Law”) came into effect on March 30, 2011.  The Defender of Rights, whose role is to defend civil rights and liberties, to promote children’s rights and to fight against discrimination, also will serve as a member of the CNIL’s plenary committee.

On March 30, 2011, the Federal Trade Commission announced that Google agreed to settle charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010.  According to the FTC’s complaint (main document, exhibits), Google led Gmail users to believe that they could choose whether or not they wanted to join Google Buzz.  The options for declining or leaving Google Buzz, however, were ineffective.  For those who joined Google Buzz, the controls for limiting the sharing of their personal information were difficult to locate and confusing.  Furthermore, the FTC charged that Google violated its privacy policies by using information provided for Gmail for another purpose – social networking – without obtaining consumers’ permission in advance.  Finally, the FTC alleged that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor framework because it failed to give consumers notice and choice before using their information for a different purpose from that for which it was collected.

On March 28, 2011, the Briar Group, LLC, owner and operator of several Boston-area bars and restaurants, reached a settlement with Massachusetts Attorney General Martha Coakley regarding the breach of “tens of thousands” of consumers’ payment card information.  The settlement resolves a lawsuit filed in Massachusetts Superior Court alleging that in April 2009 hackers gained access to the Briar Group’s computer systems and misappropriated customer data by installing malcode which was not removed by the company until December of that year.  The complaint further alleged that the Briar Group’s lax data protection practices, such as allowing employees to share computer passwords and failing to secure network wireless connections, put customers’ personal information at risk.

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

An employer who allegedly posted to an employee’s Facebook and Twitter accounts without her consent may face liability for its actions, according to a federal judge in Illinois.  The case is Maremont v. Susan Fredman Design Group, Ltd., in the U.S. District Court for the Northern District of Illinois (2011 U.S. Dist. LEXIS 26441, March 15, 2011).

The Plaintiff, Jill E. Maremont, worked as the Director of Marketing, Public Relations and E-Commerce for an interior designer and her company, Susan Fredman and the Susan Fredman Design Group, Ltd. (Defendants).  Maremont contends she created a “popular personal following” on Facebook and Twitter, and she also created a company blog called “Designer Diaries: Tales from the Interior.”

On March 16, 2011, at a U.S. Senate Commerce Committee hearing, Senator John Kerry (D-Mass.) announced his intention to introduce privacy legislation that would create “a common code of conduct that respects the rights of both the people sharing their information and legitimate organizations collecting and using it on fair terms and conditions.”  Kerry indicated that he had “reached out to our colleagues on both sides of the aisle, to privacy experts at firms, in academia, and in the advocacy community,” and asked for input into the process from witnesses at the hearing.

On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.

In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars.  Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.