Privacy & Information Security Law Blog

Following the first “hung parliament” since 1974, the UK is facing considerable legislative reform under the newly formed Conservative - Liberal Democrat coalition government.  Although the parties appear to have differing opinions on a number of legislative issues, one issue that unites them is their commitment (at least in theory) to strengthening the current data protection regime implemented under the Labour government.

Each party’s manifesto states that, should it be elected, it will enhance the audit powers of the Information Commissioner (the UK data protection regulator).  Currently, the Information Commissioner may audit government departments and public authorities suspected of violating data protection principles without their prior consent.  The Conservatives and Liberal Democrats propose to extend the Information Commissioner’s audit powers to private sector organizations.  This could be achieved in theory by secondary legislation.

According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding.  In addition, DPAs impose few sanctions for violations of data protection laws.  DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.”  In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.”  ...

On May 7, 2010, the data protection authority of the German federal state of North Rhine-Westphalia imposed a fine of €120,000 on Deutsche Postbank AG for illegal disclosure of customers’ bank account transaction data.  The bank unlawfully allowed approximately 4,000 self-employed agents to access information on more than a million customer accounts for sales purposes.

“The Department of Commerce is back.”  With those words Cameron Kerry, General Counsel of the U.S. Department of Commerce, made it clear the Department intends to take a leading role in shaping domestic privacy policy and representing U.S. privacy interests in international discussions.  The announcement was made at the May 7, 2010, Department of Commerce symposium, “A Dialogue on Privacy and Innovation,” where the mostly business audience welcomed Mr. Kerry’s declaration with great enthusiasm.

Rejecting a defense based on compliance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a federal court in Ohio denied a medical clinic’s motion to dismiss invasion of privacy claims following the clinic’s disclosure of medical records to a grand jury.  In Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010), plaintiff Turk had been under investigation for illegally carrying a concealed weapon and for having a weapon while under disability in violation of an Ohio law which provides that “no person shall knowingly acquire, have, carry, or use any firearm” if “[t]he person is drug dependent, in danger of drug dependence, or a chronic alcoholic.”  Defendant Cleveland Clinic, where Turk was a patient, received a grand jury subpoena requesting “medical records to include but not be limited to drug and alcohol counseling and mental issues regarding James G. Turk.”  When the Cleveland Clinic disclosed Turk’s medical records in response to this subpoena, Turk sued the clinic for violating his privacy rights.

On May 4, 2010, Congressmen Rick Boucher (D-VA) and Cliff Stearns (R-FL) introduced draft legislation designed to protect the privacy of personal information both on the Internet and in offline contexts.

The legislation would apply to any “covered entity,” which is defined as “a person engaged in interstate commerce that collects data containing covered information.”  The term “covered information” is very broad and includes, but is not limited to, an individual’s first name or initial and last name, a postal address, a telephone number or an email address.  Government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period (and do not collect sensitive information) would not be considered “covered entities” for purposes of the law.

The Mexican Senate has unanimously approved a landmark data protection law governing information use in the private sector, la Ley Federal de Protección de Datos Personales en posesión de los particulares.  We provided information on the bill last week when the Chamber of Deputies voted to approve it.  The legislation has been forwarded to the president for signature.  We will provide further details as this story develops.

Legislators at the federal and state levels are urging social networking websites to enhance privacy protections available to their users.  On April 27, 2010, four U.S. Senators wrote a letter to Facebook’s CEO expressing “concern regarding recent changes to the Facebook privacy policy and the use of personal data on third party websites.”  The letter urged Facebook to provide opt-in mechanisms for users, as opposed to lengthy opt-out processes, and highlighted default sharing of personal information, third-party advertisers’ data storage and instant personalization features as three areas of concern.

On April 20, 2010, the Department of Commerce (“DOC”) issued a Notice of Inquiry to solicit public feedback “on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy.”  The aim is to understand “whether current privacy laws serve consumer interests and fundamental democratic values.”  To this end, the DOC poses a number of questions, including:

• Is the notice and choice approach to consumer privacy outmoded?  Would consumers be better served by a “use-based” model?
• How does compliance with ...

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”