Privacy & Information Security Law Blog

On March 21, 2014, the Article 29 Working Party (the “Working Party”) issued a Working Document containing draft ad-hoc contractual clauses for transfers of personal data from data processors in the EU to data sub-processors outside the EU (the “Working Document”).

On April 8, 2014, the European Court of Justice ruled that the EU Data Retention Directive is invalid because it disproportionally interferes with the European citizens’ rights to private life and protection of personal data. The Court’s ruling applies retroactively to the day the Directive entered into force.

On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion in Federal Trade Commission v. Wyndham Worldwide Corporation, allowing the FTC to proceed with its case against the company. Wyndham had argued that the FTC lacks the authority to regulate data security under Section 5 of the FTC Act. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices. The case will continue to be litigated on the issue of whether Wyndham’s data security practices constituted a violation of Section 5.

As reported in the Hunton Employment & Labor Perspectives Blog:

On February 14, 2014, San Francisco passed the San Francisco Fair Chance Ordinance and became the latest national municipality to “ban the box” and limit the use of criminal background checks in employment hiring decisions. The deadline for San Francisco employers to comply with the San Francisco Fair Chance Ordinance is August 13, 2014. The “ban the box” campaign continues to gain momentum – San Francisco joins other cities (Buffalo, Newark, Philadelphia, and Seattle) and states (Hawaii, Massachusetts ...

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

As reported in the Hunton Employment & Labor Perspectives Blog, on March 10, 2014, the Federal Trade Commission and the Equal Employment Opportunity Commission issued joint guidance regarding the use of background checks in the employment context. The agencies issued two guidance documents: Background Checks: What Employers Need to Know (which advises employers on their existing legal obligations under both the Fair Credit Reporting Act and federal non-discrimination laws) and Background Checks: What Job Applicants and Employees Should Know (which informs job applicants ...

On March 28, 2014, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released a tool to assist covered entities in complying with the HIPAA Security Rule requirement to conduct a risk assessment. The HIPAA Security Rule obligates covered entities to accurately and thoroughly assess “the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information” (“PHI”) they maintain. The tool, which is aimed at small to medium health care providers, was developed jointly by OCR and the HHS Office of the National Coordinator for Health Information Technology (“ONC”), and follows the National Institute of Standards and Technology’s development of a similar toolkit.

The recent leak of an internal memo to the former Chair of the Federal Energy Regulatory Commission, which was widely reported by national news media, has created a national security setback for the United States. Many are concerned that the disclosure may provide terrorists and other bad actors a roadmap for causing a prolonged nationwide blackout. Perhaps more importantly, the leak undermines the relationship of trust between industry and government agencies that the parties have been working for years to establish; a relationship that is vital to developing a stronger security ...

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

On March 20, 2014, Australia’s Privacy Amendment (Privacy Alerts) Bill 2014 was re-introduced in the Senate for a first read. The bill, which was subject to a second reading debate on March 27, 2014, originally was introduced on May 29, 2013, but it lapsed on November 12, 2013 at the end of the session.