On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify

In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs.

The French government has strongly recommended that companies set up a plan for the continuity of their businesses in case of pandemic flu. Indeed, in case of pandemic, the French authorities anticipate significant degrees of absenteeism among employees and a possible paralysis of certain companies if they are not sufficiently prepared. 

On August 19, 2009, the French Data Protection Agency (also known as the “CNIL”) released a new opinion (the “Opinion”) on the transfer of personal data from France to a jurisdiction outside of Europe. The Opinion is noteworthy for describing how personal data can be transferred from France to the United States pursuant to U.S. discovery proceedings. The Opinion stresses that it does not cover proceedings originating from U.S. governmental requests, such as requests by the Security Exchange Commission (SEC) or the Federal Trade Commission (FTC). The issue of international discovery transfers has been a particularly thorny and complex one, as it has often pitted the legal obligations of an entity in the United States to comply with U.S. discovery requirements against its obligations to comply with EU data protection laws, where it holds personal data on individuals located within the EU.

Earlier this year, we blogged about address book scraping and some of the issues associated with the practice, specifically transparency and the use of unsolicited, deceptive e-mails. In a suit against reunion.com, a recipient alleged that she received a “deceptive” e-mail from the site because it was purported to be from her friend when in fact it was from reunion.com and sent without her friend’s consent.

Now another site has come under scrutiny for similar address book scraping tactics. This July, New York Attorney General Andrew M. Cuomo announced that he intends to sue Tagged.com (“Tagged”) for deceptive e-mail marketing practices and invasion of privacy.

When Flash cookies (also known as a “Local Shared Objects”) were first flagged as a privacy issue back in 2005, a few savvy companies added a disclosure about Flash cookies into their web site privacy policies. Since then, we have not heard the issue raised again. Now this sleeper issue seems to have been awakened by a recent report by researchers at the University of California, Berkeley, entitled Flash Cookies and Privacy

Flash cookies, which utilize a little-known capability of Adobe’s Flash plug-in, are a method to store information about a user’s preferences. (Estimates suggest that Adobe’s Flash software is installed on some 98 percent of personal computers.) Flash cookies may be used to provide better functionality to the user by, for example, storing the user’s preferences about sound volume or caching a music file for smoother play-back over an unreliable network connection. Flash cookies may also be used as unique identifiers that enable advertisers to track user preferences and circumvent deletion of HTTP cookies. Because Flash cookies are stored in a different location than HTTP cookies on one’s personal computer, simply erasing HTTP cookies, clearing browser history, or deleting the cache does not remove Flash cookies.