Privacy & Information Security Law Blog

On October 16, 2014, the 36th International Conference of Data Protection and Privacy Commissioners in Mauritius hosted a panel including representatives from the European Data Protection Supervisor ("EDPS") and Hunton & Williams to discuss the need for a coordinated approach to net neutrality and data protection in the EU. While there are divergent views on what net neutrality should (or should not) entail, net neutrality in the EU typically refers to the principle that all Internet traffic is treated equally and without discrimination, restriction or interference.

During the October 14, 2014 closed session of the 36th International Conference of Data Protection and Privacy Commissioners (the “Conference”) held in Balaclava, Mauritius, the host, the Data Protection Office of Mauritius, and member authorities of the Conference issued the “Mauritius Declaration on the Internet of Things,” and four new resolutions – a “Resolution on Accreditation” of new members, a “Resolution on Big Data,” a “Resolution on enforcement cooperation,” and a “Resolution on Privacy in the digital age.” Brief summaries of each of these documents are below.

In October 2014, the People’s Republic of China Supreme People’s Court issued interpretations regarding the infringement of privacy and personal information on the Internet. The interpretations are entitled Provisions of the Supreme People’s Court on Several Issues concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks (the “Provisions”) and became effective on October 10, 2014.

On October 14, 2014, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.

On October 8, 2014, the Department of Homeland Security reported that over the course of several months, the network of a large critical manufacturing company was compromised. According to the ICS-CERT Monitor, the compromised company is a conglomerate that acquired multiple organizations in recent years, resulting in multiple corporate networks being merged. The Department of Homeland Security concluded that these mergers introduced latent weaknesses into the company’s network, allowing hackers to go largely undetected for a significant period of time.

On October 8, 2014, the Federal Trade Commission announced an $80 million settlement with mobile phone carrier AT&T Mobility, LLC (“AT&T”) stemming from allegations related to mobile cramming. The $80 million payment to the FTC is part of a larger $105 million settlement between AT&T and various federal and state regulators, including the Federal Communications Commission and the attorneys general of all 50 states and the District of Columbia. According to the FCC, “[t]he settlement is the largest enforcement action in FCC history.”

On October 1, 2014, the Food and Drug Administration (“FDA”) announced that it has issued final guidance regarding cybersecurity in medical devices, entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (the “Guidance”). The Guidance provides recommendations to device manufacturers for content “to include in FDA medical device premarket submissions for effective cybersecurity management.” The Guidance updates a draft guidance that was originally published in June 2013.

On October 6, 2014, the Irish Office of the Data Protection Commissioner (“ODPC”) announced its success in bringing prosecution proceedings against M.C.K Rentals Limited (“MCK”), a firm of private investigators, and its two directors, for breaches of the Irish Data Protection Acts 1998 and 2003. Specifically MCK and its directors were found to have (1) obtained personal data without the prior authority of the data controller who was responsible for the data and (2) disclosed the personal data obtained to various third parties.

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

On September 4, 2014, the UK Information Commissioner’s Office (“ICO”) published guidance on data protection for the media entitled Data protection and journalism: a guide for the media (the “Guidance”).