Privacy & Information Security Law Blog

On October 14, 2010, the French Data Protection Authority (the “CNIL”) adopted several amendments to its single authorization AU-004 regarding the use of whistleblowing schemes (the “Single Authorization”).

Since 2005, companies in France must register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL.  Companies that self-certify to the Single Authorization make a formal undertaking that their whistleblowing scheme complies with the pre-established conditions set out in this authorization.  In particular, the scope of the Single Authorization is limited to the following specific areas: finance, accounting, banking, fight against corruption and compliance with Section 301(4) of the Sarbanes-Oxley Act.  Under the revised framework, the CNIL has extended the scope of the Single Authorization to include the prevention of anti-competitive practices and compliance with the Japanese Financial Instrument and Exchange Act.

The Yomiuri Shimbun has been following a story regarding the November 25, 2010, release by a Tokyo publisher of a book containing Tokyo Metropolitan Police Department anti-terrorism documents that were leaked on the Internet in October.  According to reports, the book (“Leaked Police Terrorism Info: All Data”) contains 469 pages of unedited personal information of foreign residents who are being monitored by Japanese authorities, as well as the names of the police officers involved in the cases and individuals who have cooperated with police investigations.  On November 29, a ...

On December 7, 2010, Microsoft announced in a blog post that Internet Explorer 9 will feature a new “opt-in mechanism” and “Tracking Protection Lists” to help consumers control tracking of their online activity.  Since the Federal Trade Commission released its privacy report last week, there has been considerable debate regarding consumer protection on the Internet, especially with respect to the “Do Not Track” concept.  Microsoft’s blog post states, “We believe that the combination of consumer opt-in, an open platform for publishing of Tracking Protection ...

On December 1, 2010, the German Federal Ministry of the Interior (the “BMI”) issued a paper entitled “Data Protection on the Internet,” which contains a draft law to protect against particularly serious violations of privacy rights online.

On December 2, 2010, discussions about privacy continued at a hearing on “Do Not Track Legislation: Is Now the Right Time?” held by the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection.  The hearing focused on a variety of consumer privacy issues, including the implications and challenges of a Do Not Track mechanism, the consumer’s desire for more control over the collection and use of their data and tracking practices, and the need to preserve an advertising supported Internet that promotes economic growth through online business.

The “Red Flag Program Clarification Act of 2010” (S. 3987) has passed the Senate.  The legislation would limit the scope of the Red Flags Rule, which requires certain “creditors” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.  The new legislation would exclude from the definition of “creditor” certain entities that “[advance] funds on behalf of a person for expenses incidental to a service provided by the creditor to that ...

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

On December 1, 2010, the Federal Trade Commission released its long-awaited report on online privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”  Observers expected the report to address the concept of privacy by design, the burdens placed on consumers to read and understand privacy notices and make privacy choices, the provision of individual access to personal data and the rights of consumers with respect to Internet tracking.  The FTC report introduces a privacy framework to “establish certain common assumptions and bedrock protections on which both consumers and businesses can rely as they engage in commerce.”  It includes the following elements:

David Vladeck, Director of the FTC’s Division of Consumer Protection, this morning previewed the long-awaited FTC report that sums up months of discussion regarding the future of privacy regulation in the United States and examines the viability of a Do Not Track mechanism.  Vladeck indicated at the Consumer Watchdog Policy Conference that the existing privacy framework in the U.S. is not keeping pace with new technologies.  In addition, he stated that the pace of industry self-regulation, while constructive, has been too slow.  According to Vladeck, the report will address several major themes, including the following:

The Centre for Information Policy Leadership (the “Centre”) this week issued “Data Protection Law and the Ethical Use of Analytics,” authored for the Centre by Paul Schwartz, Professor of Law, Berkeley Law School, University of California.  Marty Abrams shared this paper on November 30, 2010, at the European Data Protection and Privacy Conference in Brussels and plans to present the paper on December 1, 2010, at the Organization for Economic Cooperation and Development.