On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French  authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers.   The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers.

French legislator recently amended Article 34 of the Data Protection Act to reflect the EU e-Privacy Directive’s breach notification requirement.According to Article 34 of the French data protection law (as revised), the notification obligations are applicable if:

  • Personal data is processed;
  • By an electronic communications service provider;
  • During the course of its business of providing electronic communications services (e.g. telephone service or internet access)

On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.

Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, where the information disclosed included individuals’ names, Social Security numbers, financial account numbers and medical diagnoses.

What if the story of your life was written at birth- a “future diary” available for someone to read? The decoding of the human genome over a decade ago held the promise of defying our genetic destiny, but it also foreshadowed some significant ethical issues on the horizon. This month, California legislators addressed some of these concerns in the Genetic Information Privacy Act (SB 1267). The proposed bill would guard against covert DNA testing by requiring written permission from California citizens before collecting, analyzing, storing or sharing their genetic information. Any such data obtained with permission could only be used within the scope of the permission given by the DNA owner, after which the DNA samples would have to be destroyed.

On 25 January 2012, the European Commission published a proposed new data protection framework for the E.U. The new framework, unlike the current one, is to provide a consistent and harmonised set of rules for all 27 E.U. member states. One of the main objectives of the new framework is to better ensure that individuals know what is happening to their personal data. To this end, the European Commission is proposing to introduce the ‘right to be forgotten’.

Earlier this year in United States v. Jones, the United State Supreme Court addressed the privacy implications of Global Positioning Systems (“GPS”), holding that placing a GPS tracking device on a suspect’s car was a “search” under the Fourth Amendment. Though a growing number of employers are using GPS systems to track employee activity on the job, the effect of the Supreme Court’s decision in the private sector remains unclear.