Privacy & Information Security Law Blog

The Wall Street Journal is reporting that outgoing FTC Commissioner Pamela Jones Harbour criticized technology companies for publicly exposing consumer data, particularly during the rollout of new products.  Ms. Harbour lamented that companies do not take consumer privacy seriously.  She singled out the launch of Google Buzz as irresponsible conduct by “one of the greatest technology leaders of our time.”  Consumer advocates raised alarm when Google Buzz initially established Google Gmail users’ social network connections automatically based on the users’ email and chat contacts, and made that list public by default.  Ms. Harbour reiterated the advocates’ sentiment by stating that, from the time the product launched, consumers rather than Google should have decided whether or not to subscribe to the features that could expose their contact data.  Soon after the launch, Google changed the defaults to allow users more control.  Google put forth a conciliatory message, stating that user transparency and control are top priorities for the company and that Google is continuing to improve Buzz based on the feedback the company receives.

In a decision handed down on February 25, 2010, the French Constitutional Court ruled that the right to privacy derives from Article 2 of the Declaration of Human Rights, and is therefore considered a constitutional right under French law.  The Court also ruled that the legislature must strike a balance between the right to privacy and other fundamental interests, such as preventing threats to public safety, which are necessary to preserve constitutional rights and principles.

In conjunction with the celebration of its 10th anniversary on March 16, the International Association of Privacy Professionals is releasing a white paper on the future of the privacy profession entitled, “A Call for Agility: The Next-Generation Privacy Professional.”  When the IAPP initially was formed, the role of the chief privacy officer was newly emerging following the dot-com boom.  Over the past 10 years, the exponential increase in data collection and retention have propelled the privacy professional into senior levels of management.  Reflecting the growth of the privacy professional’s role, the IAPP’s membership has grown to include over 6,500 privacy professionals from businesses, governments and academic institutions across 50 countries.

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

According to BNA’s Privacy Law Watch, on March 8, 2010, Senator Patrick Leahy asked President Obama to nominate members for the dormant Privacy and Civil Liberties Oversight Board.  The Board, which was created in 2004 upon the recommendation of the 9/11 Commission, focuses on ensuring that privacy and civil liberties concerns are incorporated into anti-terrorism laws and regulations.  Although President Obama had pledged in May 2009 to reconstitute the board, which has had no members since January 2008, privacy advocates say that his focus on cybersecurity issues has delayed ...

On March 9, 2010, the European Court of Justice ruled that the Federal Republic of Germany’s practice of “state supervision” over data protection authorities violates EU Data Protection Directive 95/46/EC.  The case, brought by the EU Commission, is a milestone which will force Germany to change the structure of its DPA system and could have ramifications in other countries as well.

The Court’s decision is based on Article 28(1) of the Directive, which requires that data protection authorities (“DPAs”) act with “complete independence.” German law makes a distinction with regard to DPA supervision depending on whether the data processing is carried out by public or non-public bodies.  There are therefore different authorities responsible for monitoring public entities’ compliance with data protection provisions versus those that monitor compliance by private parties and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) outside the public sector (such as transportation and utility companies).

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services.  The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers.  The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity ...

On March 3, 2010, the Senate unanimously confirmed the nominations of Julie Brill and Edith Ramirez to serve as FTC Commissioners for seven-year terms.  Most recently, Ms. Brill has served as Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina.  She was formerly Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and has served as Chair of the Committee on Privacy for the National Association of Attorneys General.  Edith Ramirez is a partner at Quinn Emanuel Urquhart Oliver & Hedges, LLP in Los Angeles ...

Alberta’s Information and Privacy Commissioner, Frank Work, issued a news release regarding the recent Court of Appeal of Alberta decision in Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner).  In the case, the Court held that the Information and Privacy Commission has no authority to extend investigation time limits under the Personal Information Protection Act (“PIPA”) after the statutory time limit has expired.  Further, if the Commissioner extends the time in an inquiry process within the time limit, he must provide reasons for the extension, and his decision will be subject to judicial review.  The Court noted that “[b]lanket or routine extensions seem unlikely to be regarded as reasonable if they cannot also be justified in the specific circumstances of the case.”  PIPA is provincial legislation that governs the use of personal information by private sector organizations in Alberta.

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection.  The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.