Privacy & Information Security Law Blog

On May 12, 2014, the U.S. Chamber of Commerce released a report highlighting the benefits of cross-border data transfers across all sectors of the economy. Hunton & Williams LLP’s Global Privacy and Cybersecurity team developed the report with the Chamber of Commerce. The report, Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, presents pragmatic solutions for developing international mechanisms that both protect privacy and facilitate cross-border data flows.

On May 9, 2014, the Federal Trade Commission announced a settlement with clothing manufacturer American Apparel related to charges that the company falsely claimed to comply with the U.S.-EU Safe Harbor Framework. According to the FTC’s complaint, the company violated Section 5 of the FTC Act by deceptively representing, through statements in its privacy policy, that it held a current Safe Harbor certification even though it had allowed the certification to expire.

On May 8, 2014, the Federal Trade Commission announced a proposed settlement with Snapchat, Inc. (“Snapchat”) stemming from allegations that the company’s privacy policy misrepresented its privacy and security practices, including how the Snapchat mobile app worked. Snapchat’s app supposedly allowed users to send and receive photo and video messages known as “snaps” that would “disappear forever” after a certain time period. The FTC alleged that, in fact, it was possible for recipients to save snaps indefinitely, regardless of the sender-designated expiration time.

Hunton & Williams LLP’s Centre for Information Policy Leadership president, Bojana Bellamy, has been selected to participate in the “Privacy Bridge Project,” a new transatlantic initiative that seeks to develop practical solutions to bridge the gap between European and U.S. privacy regimes. Bellamy joins a distinguished group of approximately 20 privacy experts from the EU and U.S., convened by Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority and former Chairman of the Article 29 Working Party.

On May 7, 2014, the Department of Health and Human Services (“HHS”) announced that NewYork-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date, to settle charges that they potentially violated the HIPAA Privacy and Security Rules.

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a new proposed rule impacting privacy notices that financial institutions are required to issue under the Gramm-Leach-Bliley Act (“GLB”). Under the current GLB Privacy Rule, financial institutions must mail an annual privacy notice (the “GLB Privacy Notice”) to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing.

On May 6, 2014, the Office of the Privacy Commissioner of Canada announced the Global Privacy Enforcement Network’s (“GPEN’s”) second annual enforcement sweep. The sweep will focus on mobile app privacy and how mobile apps collect and use personal data.

On April 21, 2014, the Securities and Exchange Commission’s Division of Corporation Finance published new Compliance and Disclosure Interpretations (“C&DIs”) concerning the use of social media in certain securities offerings, business combinations and proxy contests. Notably, the C&DIs permit the use of an active hyperlink to satisfy the cautionary legend requirements in social media communications when the social media platform limits the text or number of characters that may be included (e.g., Twitter). The C&DIs also clarify that postings or messages re-transmitted by unrelated third parties generally will not be attributable to the issuer (so issuers will not be required to ensure that third parties comply with the guidance). In addition, requirements regarding cautionary legends contemplated by the C&DIs apply to both issuers and other soliciting parties in proxy fights or tender offers. Accordingly, although the new guidance will allow issuers to communicate with their shareholders and potential investors via social media, it also may prove useful to activists in proxy fights and tender offers.

On February 18, 2014, the Frankfurt am Main Regional Court issued a ruling addressing the use of opt-out notices for web analytics tools. The case concerned Piwik web analytics software and its “AnonymizeIP” function. The court held that website users must be informed clearly about their right to object to the creation of pseudonymized usage profiles. This information must be provided when a user first visits the website (e.g., via a pop-up or highlighted/linked wording on the first page) and must be accessible at all times (e.g., via a privacy notice).

On May 1, 2014, the White House released a report examining how Big Data is affecting government, society and commerce. In addition to questioning longstanding tenets of privacy legislation, such as notice and consent, the report recommends (1) passing national data breach legislation, (2) revising the Electronic Communications Privacy Act (“ECPA”), and (3) advancing the Consumer Privacy Bill of Rights.