US employers are sometimes required for diversity purposes to collect data regarding the race and ethnicity of their employees.  However, collection of such “sensitive” data may infringe EU data protection laws under Article 8 of the EU Data Protection Directive.  This blog post is designed to provide some basic information about Article 8 and its exceptions.  It relates only to the collection of sensitive data from EU-based employees and does not address cross-border data transfer issues.

 

Following is an updated list of citations to state data breach notification laws. We also note that as of January 1, 2008, California’s data breach notification law, Civil Code § 1798.82, will include “medical information” and “health insurance information” in the definition of personal information. Also, any business “maintained for the purpose of managing medical information” must comply with the prohibitions of California’s Confidentiality of Medical Information Act, effective January 1. These changes were enacted through A.B. 1298, signed by Governor Schwarzenegger on October 14, 2007.

According to a recent federal court ruling, a telephone customer is bound by the terms of an online business’s privacy policy and terms of use to which the salesperson referred during the call. In Greer v. 1-800-Flowers.com, Inc., No. H-07-2543 (S.D. Tex. Oct. 3, 2007), the U.S. District Court for the Southern District of Texas enforced a forum selection clause contained in the website’s terms of use against a consumer who ordered flowers for his girlfriend on the telephone. Before placing his order, the plaintiff inquired as to the company’s privacy practices and a 1-800-Flowers.com representative referred him to the company’s online privacy policy. Plaintiff claimed he relied on this policy when he completed his order. The privacy policy clearly stated that it was part of the website’s terms of use, which the plaintiff did not read and which included a forum selection clause.

In follow-up to our earlier blog post regarding recent pressure on social networking sites from law enforcement, New York Attorney General Andrew Cuomo announced yesterday that his office had entered into a settlement with Facebook. The settlement resolves the Attorney General’s investigation of Facebook’s failure to fulfill public claims it made about protecting minors, which the Attorney General believed were deceptive acts and practices and false advertising in violation of New York consumer protection laws. Facebook did not admit to any wrongdoing.

Kids like social networking sites, most notably MySpace and Facebook. So it is not surpising that law enforcement is scrutinizing how the sites protect children. Recent subpoenas issued to Facebook by New York Attorney General Andrew Cuomo and New Jersey Attorney General Anne Milgram are illustrative.

Both subpoenas sought information about Facebook’s Internet safety and security policies. The New York subpoena, issued last month, also sought information concerning Facebook’s complaint resolution procedures. In its subpoena cover letter to Facebook, Attorney General Cuomo noted Facebook’s public representations concerning how it responds to reports of pornographic material and inappropriate contact with minors.  It also described its undercover investigation of Facebook. According to the letter, the investigation revealed pornographic and other inappropriate content readily available on the site. In addition, after investigators set up profiles as young teenage users, they received inappropriate sexual advances. The investigators filed complaints about these issues through Facebooks’ complaint procedures. The letter notes various instances of non-responsiveness or delayed response to such complaints. The New Jersey subpoena issued earlier this month, described here, sought information from Facebook concerning convicted New Jersey sex offenders that Facebook has identified as site users.  Facebook previously informed the New Jersey Attorney General it had removed sex offenders with profiles matching individuals listed on the New Jersey sex offender registry. Attorney General Milgram also sent letters to eleven other social networking sites requesting they compare their registrants against the state’s sex offender list.

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

Proskauer Rose LLP has just released “Proskauer on International Litigation and Arbitration: Managing, Resolving, and Avoiding Cross-Border Business and Regulatory Disputes.” The online guide is a practical reference work for businesses and practitioners; it explores best practices and creative yet practical approaches to manage, resolve, and avoid controversies affecting multiple jurisdictions. The 28-chapter guide is available free in e-Book format at www.proskauerguide.com. It includes a thorough chapter on international privacy law.