Privacy & Information Security Law Blog

On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”).  Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months.  This information may be retrieved for law enforcement and safety purposes.  Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history. 

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC.  The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms.  The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain ...

In February 24, 2010, an Italian court in Milan found three Google executives guilty of violating applicable Italian privacy laws.  The executives were accused of violating Italian law by having allowed a video showing an autistic teenager being bullied to be posted online.  The Google executives, Senior Vice President and Chief Legal Officer David Drummond, Chief Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes, were fined and received six-month suspended jail sentences.

On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud.  In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers.  The letters also recommended that the ...

After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.

The U.S. Supreme Court has set oral argument for April 19, 2010, to review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co.  Although Quon concerns the scope of privacy rights afforded to public employees under the Fourth Amendment, the case also has forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies.  Unlike government employers, private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures; instead, they must comply with federal wiretap statutes and state law.  In practice, however, the “reasonable expectation of privacy” test courts apply to state common law privacy claims that govern private employers is virtually identical to the Fourth Amendment test.  Accordingly, the Supreme Court’s review of the Constitutional test likely will affect how courts view privacy claims brought against private employers.

We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published.  The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule.  Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.

A computer user’s failure to secure his wireless network contributed to the defeat of his claim that a neighbor’s unwelcome access to his files violated the Electronic Communications Privacy Act ("ECPA").  The ECPA places restrictions on unauthorized interception of, and access to, electronic communications.