In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL). There are two possible ways to notify the CNIL of a whistleblowing system: request a formal authorization from the CNIL (this is quite burdensome and difficult to… Continue Reading
After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice). The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a… Continue Reading
The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law,… Continue Reading
On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82). Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question… Continue Reading
In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infastructure Systems such as the electric grid, drinking water,… Continue Reading
In France, the guiding principle is that emails received or sent by an employee through the employer’s company email account are considered “professional”, which means that the employer can access and read them. However, French employers must be cautious before accessing their employees’ professional emails because they are not permitted to access emails that have… Continue Reading
On June 20, 2013, the California Court of Appeal affirmed the dismissal of a putative class action which alleged that Chevron violated California’s Song-Beverly Credit Card Act (“Song-Beverly”) by requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud. Flores v. Chevron U.S.A. Inc., No…. Continue Reading
Are social media companies based in the United States subject to European data privacy laws? Two recent judicial decisions – one in France and the other in Germany – arrived at different answers. The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal… Continue Reading
California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a… Continue Reading
In a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is… Continue Reading
As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity. The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing… Continue Reading
On December 28, 2012, the Standing Committee of China’s National People’s Congress, China’s legislative body, passed the “Decision on Strengthening Network Information Protection” (the “Decision”), which contains various principles for protecting, collecting and using electronic personal information in China. According to the Decision, these principles were passed in order to protect network information security, protect… Continue Reading
The California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097,… Continue Reading
For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations. On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading
The European Commission’s revised data protection framework proposals include provisions intended to encourage the use of data protection privacy seals, certification mechanisms and trust marks. These provisions would allow data subjects to instantly assess the privacy standards applied by data controllers and processors, thereby providing the comfort that data subjects often seek. The UK Information… Continue Reading
Earlier this month, the Securities and Exchange Commission (“SEC”) instituted public administrative and cease and desist proceedings against eBX, LLC (“eBX”), a broker-dealer registered with the SEC. eBX operates LeveL ATS, an alternative trading system (“ATS”) known as a “black pool,” which is a proprietary market where traders may exchange large blocks of stock with… Continue Reading
On June 29, 2012, New Jersey Governor Chris Christie signed into law legislation amending New Jersey’s unclaimed property law relating to the escheat of abandoned stored value cards (SVCs) to the state. Under the original unclaimed property law, which took effect July 1, 2010, SVCs that were inactive for two years were presumed abandoned, and New Jersey required that the monetary value associated with the inactive cards be escheated to the state. Additionally, SVC issuers were required to (a) “obtain” the name and address of each card owner or purchaser, and (b) “at a minimum, maintain a record of the zip code of the owner or purchaser” of each SVC. Under the amended law, SVCs are presumed abandoned after five years of inactivity (as opposed to two years), and SVC issuers have a forty-eight month grace period before they are required to collect the names, addresses, and zip codes of SVC owners or purchasers. Issuers that do not collect purchasers’ names and addresses in the normal course of business or during a card-registration process are exempted from collecting purchasers’ names and addresses under the law, but they are still required to collect and maintain purchasers’ zip codes.
It should be noted that the unclaimed property law potentially conflicts with a separate New Jersey law protecting the personal information of credit card holders (N.J. Stat. § 56:11-17 (2012)). That law makes it unlawful for any person to require the disclosure of any personal identification information from a credit card holder that is not required to complete the transaction as a condition of allowing the card holder to use the credit card to complete the transaction. While we await the resolution of this potential conflict, courts may rule that no conflict exists: § 56:11-17 only addresses credit card use, but the state’s unclaimed property law makes no distinction between payment methods (and, therefore, doesn’t condition the use of a credit card on the collection of personal information).
On June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58… Continue Reading
On the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law. The amended law will take effect on October 1, 2012.
On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended… Continue Reading
On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.
The Massachusetts Attorney General’s Office ("AGO") has entered into an Assurance of Discontinuance (the "Settlement") with a Massachusetts company after allegations that the company failed to adequately protect personal information of Massachusetts residents. The AGO alleged that an employee of Maloney Properties, Inc. ("MPI") stored unencrypted personal information on a company laptop, and failed to… Continue Reading