Privacy & Information Security Law Blog

On April 13, 2015, the Senate of Washington State unanimously passed legislation strengthening the state’s data breach law. The bill (HB 1078) passed the Senate by a 47-0 vote, and as we previously reported, passed the House by a 97-0 vote.

On November 16, 2015, the Federal Trade Commission will host a workshop in Washington, D.C., to examine the benefits and privacy risks associated with “cross-device tracking.” The workshop intends to highlight the types of cross-device tracking techniques and how businesses and consumers can benefit from these practices. The workshop also will address related privacy and security risks, and discuss whether self-regulatory programs apply to these practices.

On March 4, 2015, the House of Representatives of Washington passed a bill (HB 1078), which would amend the state’s breach notification law to require notification to the state Attorney General in the event of a breach and impose a 45-day timing requirement for notification provided to affected residents and the state regulator. The bill also mandates content requirements for notices to affected residents, including (1) the name and contact information of the reporting business; (2) a list of the types of personal information subject to the breach; and (3) the toll-free telephone numbers and address of the consumer reporting agencies. In addition, while Washington’s breach notification law currently applies only to “computerized” data, the amended law would cover hard-copy data as well.

On December 5, 2014, the Article 29 Working Party (the “Working Party”) published a Working Document on surveillance, electronic communications and national security. The Working Party (which is comprised of the national data protection authorities (“DPAs”) of each of the 28 EU Member States) regularly publishes guidance on the application and interpretation of EU data protection law. Although its views are not legally binding, they are strongly indicative of the way in which EU data protection law is likely to be enforced.

On October 6, 2014, the Irish Office of the Data Protection Commissioner (“ODPC”) announced its success in bringing prosecution proceedings against M.C.K Rentals Limited (“MCK”), a firm of private investigators, and its two directors, for breaches of the Irish Data Protection Acts 1998 and 2003. Specifically MCK and its directors were found to have (1) obtained personal data without the prior authority of the data controller who was responsible for the data and (2) disclosed the personal data obtained to various third parties.

On August 8, 2014, a court in Shanghai found a foreign couple guilty of illegal collection of personal information. British national Peter Humphrey was sentenced to two and a half years of imprisonment and a fine of RMB 200,000, and his wife was sentenced to two years of imprisonment and a fine of RMB 150,000. In addition, Humphrey will be deported after serving his term.

On June 25, 2014, U.S. Attorney General Eric Holder announced that the Obama Administration is looking to pass legislation that would provide EU citizens with a right to judicial redress in U.S. courts if their personal information that was shared for law enforcement purposes is later intentionally or wilfully disclosed. The announcement was made during the EU-U.S. Ministerial Meeting on Justice and Home Affairs in Athens, Greece, which was co-chaired by the Attorney General and aimed to advance EU-U.S. cooperation in efforts to stop transnational crime and terrorism. The announcement also relates to the ongoing negotiations of the new “umbrella” EU-U.S. Data Protection and Privacy Agreement (“DPPA”).

In March 2014, the State Postal Bureau of the People’s Republic of China (the “SPBC”) formally issued three rules (the “Rules”) establishing significant requirements regarding the protection of personal information: (1) Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Security Provisions”); (2) Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”); and (3) Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”). The Rules, each of which became effective on its date of promulgation, were issued in draft form in November 2013 along with a request for public comment.

On November 27, 2013, the State Post Bureau of the People’s Republic of China (the “SPBC”) released five draft normative rules for solicitation of public comment. Three of these rules, respectively entitled Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Draft Provisions”), Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”), and Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”) contain significant requirements regarding the protection of personal information. The deadline for submitting comments on the rules is December 27, 2013.

On November 15, 2013, the U.S. Government Accountability Office (“GAO”) released a report (the “Report”) finding that the current federal statutory privacy scheme contains “gaps” and “does not fully reflect” the Fair Information Practice Principles (“FIPPs”). The Report focused primarily on companies that gather and resell consumer personal information, and on the use of consumer personal information for marketing purposes.

Provisions of the economic stimulus legislation (known as the American Recovery and Reinvestment Act (“ARRA”)), recently passed by the U.S. House of Representatives, require certain entities to notify affected individuals, government agencies and the media of breaches of “unsecured protected health information.” Additional provisions substantially revise regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While these provisions are specifically limited to the context of health data, they have ...