Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Since the Third Circuit said so, in its September 22, 2009 decision in AT&T v. Federal Communications Commission (No. 084024).

Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that a corporation (AT&T) was protected by an exemption in the Freedom of Information Act (FOIA) that applies to “unwarranted invasions of personal privacy.” Specifically, FOIA exempts “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information … could reasonably be expected to constitute an unwarranted invasion of personal privacy…”(emphasis added). This exemption, combined with FOIA’s definition of “person” to include legal entities, enabled AT&T to successfully argue that a corporation has a right to privacy. (After all, the court said, “it would be very odd indeed for an adjectival form of a defined term not to refer back to that defined term.”) As a result, AT&T’s competitors have not been able to obtain information about an FCC investigation of AT&T regarding AT&T’s alleged overcharging of some of its customers.

Whether this ruling will be followed in other FOIA cases, or used to expand the concept of privacy rights under other statutes, remains to be seen. For now, when submitting information to regulators in connection with investigations, companies should consider submitting such information as confidential, since doing so could help the company to later challenge attempts by competitors or other third parties to obtain such information from the regulator under FOIA.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning their unsecured protected health information (“PHI”). With its rule, HHS also provided guidance on securing PHI through “encryption” and “destruction” measures. While compliance with these security measures is not required, conformance to the guidance offers a relative safe harbor for covered entities and vendors in the event of a security breach.  See September 1, 2009 client alert from Proskauer's Health Care Department for additional information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs.

The French government has strongly recommended that companies set up a plan for the continuity of their businesses in case of pandemic flu. Indeed, in case of pandemic, the French authorities anticipate significant degrees of absenteeism among employees and a possible paralysis of certain companies if they are not sufficiently prepared. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 19, 2009, the French Data Protection Agency (also known as the "CNIL") released a new opinion (the "Opinion") on the transfer of personal data from France to a jurisdiction outside of Europe. The Opinion is noteworthy for describing how personal data can be transferred from France to the United States pursuant to U.S. discovery proceedings. The Opinion stresses that it does not cover proceedings originating from U.S. governmental requests, such as requests by the Security Exchange Commission (SEC) or the Federal Trade Commission (FTC). The issue of international discovery transfers has been a particularly thorny and complex one, as it has often pitted the legal obligations of an entity in the United States to comply with U.S. discovery requirements against its obligations to comply with EU data protection laws, where it holds personal data on individuals located within the EU.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The first lawsuit challenging Maine's Act to Prevent Predatory Marketing Practices Against Minors has concluded.  The District of Maine issued a Stipulated Order of Dismissal on September 9, stating that there is a likelihood that the statute is "overbroad and violates the First Amendment", and putting third parties "on notice" that a private suit "could suffer from the same constitutional infirmities."  In the meantime, the lawsuit was dismissed without prejudice, in light of the State Defendant's representation that Maine will not enforce the statute and that the Legislature will reconsider it when they reconvene in January 2010. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this year, we blogged about address book scraping and some of the issues associated with the practice, specifically transparency and the use of unsolicited, deceptive e-mails. In a suit against reunion.com, a recipient alleged that she received a “deceptive” e-mail from the site because it was purported to be from her friend when in fact it was from reunion.com and sent without her friend’s consent.

Now another site has come under scrutiny for similar address book scraping tactics. This July, New York Attorney General Andrew M. Cuomo announced that he intends to sue Tagged.com (“Tagged”) for deceptive e-mail marketing practices and invasion of privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In early August, the Federal Trade Commission (“FTC”) announced the first enforcement action against a U.S. company for violation of the US/EU Safe Harbor Program. This enforcement action should serve as a call-to-action for all Safe Harbor program participants to review their safe harbor programs now, and re-affirm their compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

When Flash cookies (also known as a “Local Shared Objects”) were first flagged as a privacy issue back in 2005, a few savvy companies added a disclosure about Flash cookies into their web site privacy policies. Since then, we have not heard the issue raised again. Now this sleeper issue seems to have been awakened by a recent report by researchers at the University of California, Berkeley, entitled Flash Cookies and Privacy. 

Flash cookies, which utilize a little-known capability of Adobe’s Flash plug-in, are a method to store information about a user’s preferences. (Estimates suggest that Adobe’s Flash software is installed on some 98 percent of personal computers.) Flash cookies may be used to provide better functionality to the user by, for example, storing the user’s preferences about sound volume or caching a music file for smoother play-back over an unreliable network connection. Flash cookies may also be used as unique identifiers that enable advertisers to track user preferences and circumvent deletion of HTTP cookies. Because Flash cookies are stored in a different location than HTTP cookies on one’s personal computer, simply erasing HTTP cookies, clearing browser history, or deleting the cache does not remove Flash cookies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Where the only harm alleged is mere “speculation as to a possible risk of injury,” a claim cannot survive a 12(b)(6) motion to dismiss, according to a District of Connecticut decision issued on August 31, 2009. McLoughlin v. People’s United Bank, Inc., and Bank of New York Mellon, Inc., No. 3:08-cv-00944-VLB (D. Conn. Aug. 31, 2009), thus follows a long and growing line of cases which simply hold that where there is no actual harm, there can be no case. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link