Privacy & Information Security Law Blog

On November 4, join our privacy professionals at the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, Spain.  Participate in various presentations on ways to manage the most challenging data protection issues in today’s global environment.  In addition, the International Association of Privacy Professionals (“IAPP”) will host a Data Protection and Privacy Workshop in conjunction with the conference.

On Friday, October 23, 2009, the German Railways Operator Deutsche Bahn AG announced that they would pay a fine of over €1.1 million that was imposed on October 16, 2009 by the Berlin data protection authority.  This fine is the highest ever imposed by a German data protection authority.  The imposition of this fine follows a major data protection scandal that reportedly broke out within the company.  From 2002 to 2005, Deutsche Bahn had screened a large quantity of employee data and compared it to supplier data in an effort to combat corruption, but without specific suspicions related to ...

Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data.  These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces.  The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest.  Also, the potential penalties for violation ...

The November 1st deadline for compliance with the FTC’s Red Flags Rule Identity Theft Prevention Program requirements is rapidly approaching.  Of late, there has been a flurry of activity aimed at limiting the scope of the rule.  The Red Flags Rule, which was jointly promulgated by several federal agencies in November 2007, requires all “creditors” that offer or maintain a “covered account” to implement a written identity theft prevention program.  A “creditor” is defined broadly to include “any person who regularly extends, renews, or continues credit.”  In March 2009, the Federal Trade Commission (“FTC”) published a how-to guide for businesses to comply with the Red Flags Rule that confirmed the FTC will broadly construe the rule, stating that the definition of a “creditor” includes all businesses that “provide goods or services and bill customers later.”

The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice.  The model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA.  Once adopted and published in the Federal Register, the financial services agencies' final model notice will take effect in 30 days.

The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices.  The privacy notice must describe a financial institution's disclosure of nonpublic personal information to affiliated and nonaffiliated third parties.  In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists.  The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule.  MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada.  The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions.  The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.

Hunton & Williams is pleased to announce that Richard Thomas CBE, the former UK Information Commissioner, has joined the firm as Global Strategy Adviser.  Richard Thomas was the UK’s Information Commissioner from November 2002 until his retirement at the end of June 2009.  He was appointed by HM The Queen and held independent status, reporting directly to Parliament, on a range of regulatory, promotional and advisory responsibilities under the Data Protection Act 1998, the Freedom of Information Act 2000 and related laws.  He also served as a member of the European Union’s Article ...

On October 14, 2009, the Australian government released a report entitled “Enhancing National Privacy Protection” that contains proposed reforms to Australia’s privacy laws, including the Privacy Act 1988 (“Privacy Act”).  In announcing the report, Cabinet Secretary and Special Minister of State Joe Ludwig stated that the reforms aim to “provide for one set of streamlined Privacy Principles for Australian Government agencies and private sector organizations which will provide greater clarity and cut red tape.”  The report comprises the first stage of a two-stage response to a report issued by the Australian Law Reform Commission (“ALRC”) in 2008 that contained 295 recommendations to revise Australian privacy laws and practices.

On October 5, 2009, the Federal Trade Commission (“FTC”) issued amendments to its Guides for the Use of Endorsements and Testimonials in Advertising (“Guides”).  Reactions to the amendment have primarily focused on the provisions that require bloggers to disclose their relationship with companies whose products they endorse.  Largely absent from the commentary, however, have been observations regarding theories articulated in the amendments that demonstrate the risk of enforcement for companies that do not have a blog and that do not use third-party bloggers for promotion.

The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday.  As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.