In a recent decision, the Ninth Circuit held that “the ECPA unambiguously applies to foreign citizens.” In Suzlon Energy Ltd. v. Microsoft, Suzlon Energy demanded Microsoft to produce emails from the Hotmail email account of an Indian citizen imprisoned abroad. The district court held that the Electronic Communications Privacy Act (“ECPA”) prohibited Microsoft from producing the documents even though the individual was not a U.S. citizen. The Ninth Circuit affirmed.

On September 26, Judge William Walls of the U.S. District Court for the District of New Jersey ruled that a putative class action lawsuit against home goods retailer Williams-Sonoma failed to state a claim under New Jersey law. In Feder v. Williams-Sonoma Stores, Inc., the plaintiff sought damages for purported violations of New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) after a Williams-Sonoma employee allegedly required the plaintiff to provide her zip code as part of a credit card transaction. The district court’s decision supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see our blog post here) into other jurisdictions.

          On July 25, Russian President Dmitry Medvedev signed into law an amendment to the Russian data protection law, "On Personal Data".  The new amendments are effective as of July 1, 2011.  Of special significance, the amendments provide further clarification regarding the transfer of personal data to individuals or entities located outside of Russia.  Prior to the recent amendments, before transferring personal data from Russia to, for example, the United States, in the absence of obtaining prior written consent, a company needed to determine whether the United States (or another country, as the case may be) possessed data protection laws that provided an "adequate" level of protection.  However, the old Russian law provided little clarification as to which countries qualified under that standard, or how a company should go about deciding which countries qualified.

On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24”). SB 24’s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach. SB 24 won’t add much to most nationwide breach response plans, but will up the ante for those doing business primarily (or exclusively) in California.

On August 25, 2011, the Massachusetts Appeals Court, in a case of first impression, ruled that the state crime lab’s retention of an individual’s DNA sample beyond the limitations promised to him by the police when they took the voluntary sample state a claim for invasion of privacy, and for violation of the state’s Fair Information Practices Act (“FIPA”). The case, Amato v. District Attorney, No. 10-P-354 (Mass. Ct. App. Aug. 25, 2011), is a significant win for privacy advocates and the Firm. Proskauer partner Mark Batten and former associate Sandra Badin handled the matter with assistance from the Firm’s pro bono partner, the ACLU.

As mentioned in a prior post on this blog, earlier this year the Indian Ministry of Communications and Information Technology issued new privacy and data security rules under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “Privacy Rules”). The strict consent requirements relating to the collection and sharing of sensitive personal data or information seemed to threaten the viability of India’s successful outsourcing industry and affect the data collection practices of non-Indian companies who are otherwise in compliance with data security and privacy requirements in their home jurisdictions. On August 24, 2011, the Ministry issued a release clarifying certain aspects of the Privacy Rules which will undoubtedly cause the Indian outsourcing industry and non-Indian companies to breathe a sigh of relief.