Header graphic for print

Privacy Law Blog

Toward the enforceability of the “right to be forgotten” in Europe

Posted in Data Privacy Laws, European Union

The European Court of Justice, in a decision rendered on May 13, 2014, held that search engines are considered data controllers under the Directive of October 24, 1995 on data protection, and as such they must provide data subjects with a “right to be forgotten.” Continue Reading

California Breaks New Ground in Education Privacy Law with K-12 Student Data Privacy Bill

Posted in California, Children's Online Privacy Protection Act, Cloud Computing, Data Privacy Laws

A substantial rise in schools’ use of online educational technology products has caused educators to become increasingly reliant on these products to develop their curricula, deliver materials to students in real time, and monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers.  Unfortunately, with these advances come the data security concerns that go hand-in-hand with cloud computing—such as data breaches, hacking, spyware, and the potential misappropriation or misuse of sensitive personal information.  With the Family Educational Rights and Privacy Act (FERPA)—federal legislation enacted to safeguard the privacy of student data—in place for four decades, the education sector is ripe for new standards and guidance on how to protect students’ personal information in the era of cloud computing. California has tackled this issue head on, with the passage of two education data privacy bills by its legislature on August 30, 2014.  Senate Bill 1177 and Assembly Bill 1442 (together, the Student Online Personal Information Protection Act (SOPIPA)) create privacy standards for K-12 school districts that rely on third-parties to collect and analyze students’ data, and require that student data managed by outside companies remain the property of those school districts and remain within school district control. Continue Reading

Major Barrier to E-Commerce in Middle East and North Africa is Fear about Data Security

Posted in Articles, E-Commerce

In a recent article published by Law 360, Proskauer litigation associate Courtney Bowman outlines how companies can make inroads in the e-commerce market in the Middle East and North Africa (MENA).  Although often overlooked, the region’s relative wealth and level of internet penetration make its more stable areas attractive markets for those companies willing to undertake the steps necessary to understand the region’s cultural nuances and customer preferences.  Two of the most significant barriers to e-commerce growth in MENA is the widespread reluctance of customers to shop online due to fears about the security of online transactions, as well as the low rate of credit card use in the region.  As the article notes, however, e-commerce companies willing to offer solutions tailored to address these concerns, such as cash cards and m-payment systems, may be poised to establish a potentially lucrative presence in this part of the world.

Is the Flap Over Microsoft Emails in Ireland Overblown?

Posted in Articles, Electronic Communications

Corporate Counsel published an article authored by Nolan Goldberg, Senior Counsel, Intellectual Property and Technology, concerning the recent decision compelling Microsoft to produce e-mails located on foreign servers. The article, entitled “Is the Flap Over Microsoft Emails in Ireland Overblown?”, provides a counter-point to critics who believe that Judge Preska’s Order will have broad implications for the U.S. technology industry.

Capital One to Pay Largest TCPA Settlement on Record

Posted in TCPA

Capital One Financial Corp. (“Capital One”) and three collection agencies have agreed to pay one of the largest settlement amounts in history — $75.5 million — to end a consolidated class action lawsuit alleging that the companies used an automated dialer to call customers’ cellphones without consent in violation of the twenty-two-year-old Telephone Consumer Protection Act (“TCPA”). Judge Holderman of the Northern District of Illinois preliminarily approved the settlement in late July.  Continue Reading

Microsoft Ordered to Hand Over Data to the U.S. Government

Posted in Cloud Computing, Data Privacy Laws, International, Invasion of Privacy, Uncategorized

In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software giant presented its case in the Southern District of New York where it was dealt another loss. Continue Reading

PCI Council Issues Biz Tips to Reduce 3rd Party Security Risk

Posted in Data Breaches, Financial Privacy

On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information.  More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder data environment.  A number of studies have shown that breach is tied increasingly to security vulnerabilities introduced by third parties.  To combat such risk, a PCI special interest group made up of merchants, banks and TPSPs, together representing more than 160 organizations, created practical guidelines for how merchants and their business partners can work together to comply with the existing PCI standard and protect against breach. Continue Reading

Massachusetts Enforces Data Security Regulations Against Out-of-State Entity

Posted in Data Breaches, Data Privacy Laws, HIPAA, Privacy Litigation

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient health records.  The regulations and laws at issue were Mass. G.L. c. 93A, Mass. G.L. c. 93H and its implementing regulations codified at 201 C.M.R. 17.00 et. seq., as well as federal regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). Continue Reading

SEC Commissioner Highlights Need for Cyber-Risk Management in Speech at New York Stock Exchange

Posted in Cyber Security

As we’ve previously reported, cyber risks are an increasingly common risk facing businesses of all kinds.  In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.” Continue Reading

e-IDs: the Future of Secure Digital Identification?

Posted in European Union, International, Legislation

Over the past decade, the EU has made significant technological and legal strides toward the widespread adoption of electronic identification cards.  An electronic ID card, or e-ID, serves as a form of secure identification for online transactions – in other words, it provides sufficient verification of an individual’s identity to allow that person to electronically sign and submit sensitive documents such as tax returns and voting ballots over the Internet.  Many people see e-IDs as the future of secure identification since they offer the potential to greatly facilitate cardholders’ personal and business transactions, and the EU Commission has recognized this potential by drafting regulations meant to eliminate transactional barriers currently hindering the cards’ cross-border reach.  However, the increasingly widespread use of e-ID systems also gives rise to significant data security concerns. Continue Reading

One year of Data Protection Enforcement in France: what the CNIL’s Activity Report 2013 Reveals and what to expect in 2014

Posted in International

According to the French Data Protection Authority’s (“CNIL”) recently issued activity report for 2013, the CNIL was especially busy in 2013. The main topics addressed by the CNIL in 2013 were the creation of a national consumer credit database, the right to be forgotten, the right to refuse cookies, the proposed EU Regulation, and, of course, the revelations concerning the U.S. Prism program and the surveillance of European citizens’ personal data by foreign entities. The report also presents the main issues that the CNIL will tackle in 2014. Such issues include privacy in relation to open data, as well as in relation to new health monitoring apps or quantified self apps. The CNIL will also deal with “digital death” and more specifically, on how to deal with the social network profiles of deceased persons. Continue Reading

France Facilitates Implementation of Whistleblowing Systems

Posted in Data Privacy Laws

In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL).

There are two possible ways to notify the CNIL of a whistleblowing system:

  1. request a formal authorization from the CNIL (this is quite burdensome and difficult to obtain), or
  2. opt for the standard whistleblowing authorization (AU-004). Continue Reading