Privacy Law Blog : March 2010

Home > March 2010

EU Article 29 Working Party Clarifies Definitions of "Data Controller" and "Data Processor"

Posted on March 29, 2010 by Kevin Khurana

On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of “data controller” and “data processor” as those designations are used within the European Data Protection Directive (the “Directive”). The Working Party’s opinion is welcome guidance, not only because the designations determine who is responsible for compliance with data protection rules and how data subjects can exercise their rights, but also because the European Commission recently updated its Standard Contractual Clauses (which we blogged about here). Additionally, such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies.

Tags: Cross-border data transfers, EU Data Directive, European Union, International, global, outsourcing

Lack of Standing Argument Wins Against Supposed Data Breach Victim

Posted on March 24, 2010 by Scott J. Carpenter

Calling an alleged data breach victim’s assertion of injury-in-fact as “far too speculative,” a Pennsylvania federal district court recently dismissed a class action suit filed against Aetna, Inc. for lack of standing. In Allison v. Aetna, the court indicated that while a plaintiff in a data breach case may assert an increased risk of harm to satisfy the injury-in-fact requirement for standing, the threat of harm must be credible rather than a mere possibility of future harm.

Tags: Data Breaches

Life Unlocked? FTC and 35 State Attorneys General Ding LifeLock, Inc. for Deceptive Claims and Poor Data Security

Posted on March 15, 2010 by Brendon Tavelli

On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. and its co-founders, Richard Todd Davis and Robert J. Maynard. The settlement, which will require the identity theft protection services provider to pay $11 million to the FTC and an additional $1 million to the group of participating state attorneys general, resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. Specifically, the FTC alleged that LifeLock promised its customers complete protection against all types of identity theft, but the fraud alerts that LifeLock placed on its customers’ credit files protected only against certain forms of identity theft, which did not include medical identity theft, employment identity theft or the misuse of existing accounts – the most common form of identity theft. Moreover, the FTC alleged that even with respect to new account fraud, the type of identity theft for which fraud alerts are most effective, they do not provide absolute protection. LifeLock therefore deceived consumers by making statements like “LifeLock protects against [identity theft] ever happening to you. Guaranteed.”

In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

Tags: FTC, FTC Enforcement, Federal Trade Commission, LifeLock, data security, settlement

European Commission Seeks to Balance Data Protection and Business Globalization with Updated Standard Contractual Clauses

Posted on March 2, 2010 by Kevin Khurana

After years of negotiations, on February 5, 2010, the European Commission (EC) updated its Standard Contractual Clauses (SCCs), which set forth contract terms that govern the protection of personal data transferred from data exporters within the European Union (EU) to data processors outside the EU. On June 8, 2009, we wrote that the EC was considering implementing new SCCs. On May 15, 2010, the new SCCs, promulgated under 2010/87/EU, will go into effect, replacing the old SCCs, promulgated under 2002/16/EC.

Tags: Cross-border data transfers, European Union, International, global, outsourcing

We'll Give You (and Your Friends) a Hoodie to Go Away: Class Settlement in FACTA Truncation Lawsuit Receives Preliminary Approval

Posted on March 1, 2010 by Brendon Tavelli

On February 3, 2010, Chief Judge Gary L. Lancaster of the U.S. District Court for the Western District of Pennsylvania preliminarily approved a class action settlement between Aramark Sports, LLC and a class of approximately 5,000 customers who made credit or debit card purchases from stores at PNC Park in Pittsburgh, Pennsylvania between March 24, 2009 and April 23, 2009. If approved at a final class action fairness hearing scheduled for April 5, 2010, the proposed settlement filed in Hanlon v. Aramark Sports, LLC, No. 09-cv-465 (W.D. Pa. Feb. 3, 2010), would resolve allegations made by the plaintiffs that Aramark violated the Fair and Accurate Credit Transactions Act’s (“FACTA”) truncation requirements by electronically printing receipts that contained (a) more than the last 5 digits of the plaintiffs’ credit or debit card numbers and/or (b) the expiration date of such cards. See our posts here and here for information about cases alleging similar violations of FACTA’s truncation requirements.

Tags: FACTA, Fair and Accurate Credit Transactions Act, Financial Privacy, class action, settlement, truncation

Proskauer on Privacy

Privacy Law Blog
Proskauer Rose LLP

Beijing Room 1569, 15/F China World Tower 3
1 Jianguomenwai Avenue
Chaoyang District
Beijing 100004
China
Phone: 86.10.5737.2622

Boca Raton 2255 Glades Road
Suite 421 Atrium
Boca Raton, FL 33431-7360
Phone: 561.241.7400

Boston One International Place
Boston, MA 02110-2600
Phone: 617.526.9600

Chicago Three First National Plaza
70 West Madison
Suite 3800
Chicago, IL 60602-4342

Hong Kong Suites 1701-1705, 17/F
Two Exchange Square
8 Connaught Place
Central, Hong Kong
Phone: 852.3410.8000

London Ninth Floor
Ten Bishops Square
London E1 6EG
United Kingdom
Phone: 44.20.7539.0600

Los Angeles 2049 Century Park East
32nd Floor
Los Angeles, CA 90067-3206
Phone: 310.557.2900

Newark One Newark Center
Newark, NJ 07102-5211
Phone: 973.274.3200

New Orleans Poydras Center
650 Poydras Street
Suite 1800
New Orleans, LA 70130-6146
Phone: 504.310.4088

New York Eleven Times Square
New York, NY 10036-8299
Phone: 212.969.3000

Paris 374 rue Saint-Honoré
75001 Paris, France
Phone: 33.1.53.05.60.00

São Paulo Rua Funchal, 418
26° andar
04551-060 São Paulo, SP, Brasil
Phone: 55.11.3045.1250

Washington, D.C. 1001 Pennsylvania Avenue, NW
Suite 400 South
Washington, DC 20004-2533
Phone: 202.416.6800

Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Proskauer

EU Article 29 Working Party Clarifies Definitions of "Data Controller" and "Data Processor"

Lack of Standing Argument Wins Against Supposed Data Breach Victim

Life Unlocked? FTC and 35 State Attorneys General Ding LifeLock, Inc. for Deceptive Claims and Poor Data Security

European Commission Seeks to Balance Data Protection and Business Globalization with Updated Standard Contractual Clauses

We'll Give You (and Your Friends) a Hoodie to Go Away: Class Settlement in FACTA Truncation Lawsuit Receives Preliminary Approval

Kristen J. Mathews

Jeff Neuburger

Chandi Abeygunawardana

Peta-Anne Barrow

Amy Crafts

Margaret A. Dale

Nolan Goldberg

Kevin Khurana

Marianne Le Moullec

Charley Lozada

Cecile Martin

Jeremy Mittman

Natalie Newman

Robyn Sterling

Brendon Tavelli

Paresh Trivedi

Robert D. Forbes

Proskauer on Privacy