Privacy & Information Security Law Blog

On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.

On March 10, 2014, the German Federal Commissioner for Data Protection and Freedom of Information and all 16 German state data protection authorities responsible for the private sector issued guidelines on the use of closed-circuit television (“CCTV”) by private companies. The guidelines provide information regarding the conditions under which CCTV may be used and outline the requirements for legal compliance. The guidelines feature:

On March 7, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $215,000 settlement with Skagit County, Washington, following a security breach that affected approximately 1,600 individuals.

On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently released guidance about the use and disclosure of mental health information. The guidance, entitled “HIPAA Privacy Rule and Sharing Information Related to Mental Health,” contains thirteen questions and answers that address the following topics:

On March 6, 2014, the U.S. Federal Trade Commission (“FTC”) and UK Information Commissioner’s Office (“ICO”) signed a memorandum of understanding (“MOU”) to promote increased cooperation and information sharing between the two enforcement agencies.

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On February 25, 2014, the UK Information Commissioner’s Office (“ICO”) published an updated code of practice on conducting privacy impact assessments (“PIAs”) (the “Code”). The updated Code takes into account the ICO’s consultation and research project on the conduct of PIAs, and reflects the increased use of PIAs in practice.

On February 27, 2014, Chairwoman of the French Data Protection Authority (the “CNIL”) Isabelle Falque-Pierrotin was elected Chairwoman of the Article 29 Working Party effective immediately. Ms. Falque-Pierrotin succeeds Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, who chaired the Article 29 Working Party for four years. The Working Party also elected two new Vice-Chairs: Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, and Gérard Lommel of the Luxembourg Data Protection Authority.