Companies and individuals who upload their files in the cloud often ask (or should ask) the question: "Where are my files and who can have access to them?"
In a prior article, we analyzed the laws that regulate US government access to data. In this article we will review their equivalent in three countries on three continents. What may be surprising... Read more
A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, and members of the Lexing Network, in a discussion of the laws that regulate government access to cloud data.
A 562-page, unofficial version of the final HIPAA / HITECH Rule was posted today. The final version of the document (“the 2013 Rule) is scheduled to be published on January 25, 2013 at http://federalregister.gov/a/2013-01073. This 2013 Rule becomes effective on March 26, 2013. Covered entities and business associates must comply by September 23, 2013. Read more
The Federal Trade Commission final updated COPPA Rule, published this morning (December 19, 2012), brings child protection online to the 21st century. While most of the high level requirements, which stem directly from the Child Online Privacy Protection Act (COPPA) remain unchanged, the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites,... Read more
Recent reports and press articles, with attention grabbing headlines, have expressed concern, and at times asserted, that the U.S. government has the unfettered ability to obtain access to data stored outside the United States by U.S. cloud service providers or their foreign subsidiaries. They point to the USA PATRIOT Act (“Patriot Act”) as the magic wand that allows U.S. law... Read more
The Federal Trade Commission has published a proposed settlement with Compete, Inc. a web analytics company, for violation of Section 5 of the FTC in connection with its collection, use, and lack of protection of personal information (including some highly sensitive information). Compete uses tracking software to collect data on the browsing behavior of millions of consumers.
Google was hit by a $22.5 million penalty as a result of an investigation by the Federal Trade Commission covering Google’s practices with users of the Safari browser. A very interesting aspect of this new case against Google (Google 2), is that it raises the issue of Google’s violation of the Self-Regulatory Code of Conduct of the Network Advertising Initiative... Read more
In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed... Read more
If the vision of Ms. Reding, Vice-President of the European Commission, as expressed in the January 25, 2012 data protection package is implemented in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the... Read more
Note: This article is superseded by the more recent Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know
The European Commission has just published drafts of the two documents that will form the new legal framework for the protection of personal data throughout the European Economic Area. The draft documents are intended to provide a... Read more
In late October 2011, the European Council of Ministers formally adopted the new EU Consumer Rights Directive. The new Directive will drastically affect the rules that apply to online shopping. Numerous provisions will also apply to both the online and the offline markets.
Scope of the Consumer Rights Directive
The Directive is intended to protect “consumers,” i.e., all natural persons who are acting... Read more
While the COPPA Rule is going through a facelift – a final draft is expected to be published in 2012 - the FTC continues its enforcement actions against websites with lax COPPA practices. On November 8, 2011, the FTC announced a proposed settlement with the social networking site, www.skidekids.com, which collected personal information from children without obtaining prior parental consent,... Read more
Many companies post on their websites a statement indicating that they care about the privacy of their customers or users, and then describe in general terms their policies with respect to certain categories of personal information. The golden rule for these privacy statements is “Say what you do, and do what you say you do.” Let’s assume that the company... Read more
How to build cloud applications that anticipate your customers' legal constraints?
To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and... Read more
On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment... Read more
On July 2, 2011, Peru adopted its first “Law on the Protection of Personal Data.” The law was published in the country’s official gazette of July 3, 2011 as Law No. 29733. Inspired from the Spanish data protection law and the APEC Privacy Framework, this new law is intended to bring Peru to a level of data protection that... Read more
Top ten list of issues presented by Francoise Gilbert as part of her Conference Chair address, at the PLI Privacy & Security Conference in San Francisco, May 23-24, 2011. Read more
The United Kingdom’s Information Commissioner’s Office (ICO) has published an “advice” that explains the new rule for the use of cookie technologies for websites and mobile applications that are subject to the UK laws. As of May 26, 2011, companies will no longer be permitted to rely on consent implied from browser settings. They must obtain the user’s prior affirmative... Read more
A proposed Federal Trade Commission consent order applicable to Ceridian Corporation, establishes that failure to protect against potential SQL injection attacks is an “unfair practice” actionable under Section 5 of the FTC Act. Despite representations that it maintained “worry-free safety and reliability” and that it had a security program designed in accordance with the ISO 27000 standard, the company’s security... Read more
The European Commission has announced that it plans to amend the 2006 Data Retention Directive, Directive 2006/24/EC. This Directive states that the national laws of the EU Member States must require providers of publicly available electronic communications services and public communications networks to retain traffic and location data for a period between six months and two years, in order to allow... Read more
Litigation and trials are handled in the United States in a manner that is significantly different from that which prevails in other countries. While broad discovery is available here, the gathering and use of evidence is much more limited abroad. For years, there have been disputes between US litigants and the foreign parties who were requested to produce information and... Read more
In a cloud computing environment, data and applications are hosted "in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from "well... hum ... in the cloud" to "we have servers everywhere, data moves... Read more
Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing... Read more
The characteristics of cloud computing -- on-demand self-service, elasticity, metered service or ubiquitous access -- make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where... Read more
A “Deliberation” of the CNIL (French Data Protection Authority) published in the February 16, 2011 Official Journal of the Republic of France as “Deliberation No. 2011-023” should ease the burden on companies that have no operations in France, and engage France-based subcontractors (or cloud service providers) in order to process their data on the French territory. This is the case,... Read more
In a decision made public on February 1, 2011, the European Commission has determined that the data protection regime in Israel is adequate under the 1995 EU Data Protection Directive. The adequacy determination applies to only to data in automated databases. The data protection law of Israel Data does not apply to data in manual databases. Thus, for these data,... Read more
On December 16, 2010, the Department of Commerce released its Internet Policy Task Force Privacy Green Paper, which details recommendations on the protection of consumer privacy online. Titled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework”, the Report provides a set of recommendations to strengthen data privacy while protecting innovation, job creation, and economic growth.
The... Read more
On December 1, the FTC issued its long awaited report in which it outlines a Proposed Framework for businesses and policy makers for the protection of personal data. The Proposed Framework would reach a broad range of commercial entities, both online and offline, that collect, maintain, share, or use consumer data. The protection would apply not only to what has... Read more
In its long awaited report on privacy protection, which was published on December 1, 2010, the Federal Trade Commission outlines a Proposed Privacy Framework for businesses and policy makers. The Proposed Framework would focus on the collection, maintenance, sharing, or use by commercial entities of consumer personally identifiable information, online and offline. “Personally identifiable information” is defined as data that... Read more
The European Commission has determined that the privacy and data protection framework applicable throughout the European Union must be revised in order to adapt the current rules to the rapid technological changes that have dramatically modified the way individuals live and companies operate. Communication COM (2010) 609, published on November 4, 2010, summarizes the goals that the European Commission has... Read more
On October 5, 2010, the US Department of Energy (DoE) issued two important reports that outline recommendations for the use of Smart Grid technologies. One of the reports focuses on the protection of personal data that will be collected through Smart Grid meters, the other addresses communications requirements. Both reports were issued after consultation with the utilities, consumer advocates,... Read more
Social networks such as Facebook and MySpace allow members to create an online profile that may be accessed by other members. Some social networks have privacy controls that allow members to choose who can view their profiles or contact them. Others do not require pre-approval to gain access to a member’s profiles.
These materials are easy target for trial or... Read more
Google fired a software engineer because he allegedly took advantage of his position as a member of an elite technical group at the company to access user accounts in violation of the company policy. Accounts accessed included those of four minors whom he had encountered through a technology group, according to reports by CNN and Gawker.
While there is no allegation of... Read more
On September 14, 2010 the European Court of Justice (ECJ) confirmed that there is no attorney-client privilege under EU law for communications with in-house counsel when a company is under investigation by the European Commission.
In its ruling in the case of Akzo Nobel Chemicals Ltd and Akcros Chemicals Ltd v European Commission, the European Court of Justice affirmed a prior decision... Read more
Mexico’s New Federal Law on the Protection of Personal Data
Mexico’s new Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on the Protection of Personal Data Possessed by Private Persons) became effective on July 6, 2010. The Law is “of public order,” which means that contract provisions that conflict with it are unenforceable.
The Federal Institute... Read more
Security is not just for credit card and social security numbers
The proliferation of security breach disclosure laws has brought companies’ attention to the need to protect financial information, social security, and drivers license numbers. Since most of these laws target only these categories of data, and most state laws that require the use security measures also have focused on these... Read more
What's Cookin' in the European Union?
The European Union Member States will soon change the rules that apply to cookies and unsolicited messages. Recent amendments to the ePrivacy Directive require the Member States to implement new restrictions in their national laws by June 2011. These changes are likely to significantly affect the procedures and processes used for marketing in, or with,... Read more
The use of location-based services by consumers, such as for the provision of directions, traffic information, or mapping to locate nearby stores, should be subject to terms and conditions that address the quality of the service, and the reliability of the data. In addition, the contract should address the privacy concerns of the customer. The collection, use and sharing of... Read more
How to Ensure Continued Compliance with The Safe Harbor Requirements
The Safe Harbor created by the US Department of Commerce and the European Commission provides a convenient way for US companies with limited global transactions to address the “adequacy” requirement under the national laws of the European Union Member States. Being self-certified under the US Department of Commerce Safe Harbor allows them... Read more
An individual uses a travel site to check hotels in New York, but does not book any hotel room. Later the individual visits the website of a local newspaper to read about the Chicago Cubs baseball team. While on the newspaper’s website, the individual is served an advertisement from an airline featuring flights from Chicago to New York. The method... Read more
On February 20, 2003, the U.S. Department of Health and Human Services (HHS) published the final draft of the new National Standards for Safeguards to Protect Personal Health Information that is maintained or transmitted electronically ("Security Rule"). Required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these standards are... Read more
Not so long ago, the Internet was a separate world. We distinguished e-commerce and other activities in “cyberspace” from those that were conducted in the brick and mortar world. Today, most companies are exploiting at the same, and to the fullest extent possible, all of the vast resources that are available through the Internet, the World Wide Web and otherwise.
Concurrent... Read more
Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.
While... Read more
It is easy register as a user on a site using a different identity than the actual one. A 14 year old can pretend to be 25 and set up a profile on most social networking sites. As a result, minors have been able to find their way onto sites that were intended for adults. In some cases, they have become... Read more
The directors and officers of a company are responsible for preserving the company’s most valuable assets, such as strategic plans or intellectual property assets. When leaks of company confidential or proprietary assets occur, and there is a suspicion of illegal practices by certain individuals, the company management has an obligation and a legitimate need to make these practices stop. To... Read more