Chambers Europe writes that “[t]his enterprising young team continues to impress sources with its work in data protection, privacy, and compliance. The lawyers provide a seamless, multi-jurisdictional service to local and international clients … Sources say: ‘Excellent, pragmatic advice – really outstanding.’”

This latest ranking adds to the list of Chambers and Partners honors that the Privacy and Data Security practice has received throughout the years. For the last four years, Hunton & Williams has maintained a “Band 1” ranking for Privacy and Data Security in both the Chambers Global and Chambers USA guides.

According to the FTC’s complaint, Myspace’s privacy policy stated that it would not share personal information except as described in the privacy policy without first giving notice to users and receiving permission for the sharing. The privacy policy indicated that the information included in cookies used to customize advertisements did not identify users to third parties, and that only “[a]nonymous click stream, number of page views calculated by pixel tags, and aggregated demographic information may also be shared with MySpace’s advertisers and business partners.” Myspace also represented that it complies with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks.

The FTC’s complaint alleged that, contrary to its representations, Myspace (1) provided users’ personal information to unaffiliated third-party advertisers without first giving users notice or obtaining users’ permission; (2) allowed advertisers to access personally identifiable information via the means through which Myspace customizes ads; (3) shared non-anonymized web-browsing activity with advertisers; and (4) did not adhere to the U.S. Safe Harbor privacy principles of Notice and Choice. According to the FTC, these activities constituted deceptive acts or practices in violation of the FTC Act.

The proposed settlement order prohibits Myspace from misrepresenting the manner in which it maintains and protects the privacy and confidentiality of its users’ personal information, and requires the company to establish and maintain a comprehensive privacy program subject to biennial, independent, third-party audits for 20 years.

Among other key points in the resolution, the Commissioners made note of efforts to strengthen and clarify individual rights in relation to data protection, general improvements made in accountability requirements, the strengthening of the role of independent data protection authorities throughout the reforms, and the development of a more comprehensive global framework that will ensure that data protection principles are upheld “across all areas.” More specifically, the Commissioners approved of the increased responsibilities and powers attributed to independent data protection authorities in the EU data protection reform package. The Commissioners also encouraged the Council of Europe to follow through with the ambitious revision of Convention 108 it suggested last October.

With respect to potential improvements, the Commissioners indicated that they expect to see progress on the Directive on the processing of personal data for criminal investigations, in particular through the introduction of a provision addressing the transfer of data from private parties to law enforcement authorities.

The Working Paper sets forth recommendations for best practices and guidance intended to help reduce risks associated with the use of cloud computing services, and to promote accountability and proper governance. The recommendations focus on how to avoid lowering data protection standards when implementing cloud computing solutions, so that businesses can benefit from the possibilities cloud computing has to offer without compromising adequate protection for individual rights. In addition to outlining best practices, the recommendations address accountability, technical safeguards, cloud service agreements and the physical locations where cloud data may be stored or processed. The memorandum also discusses the necessity of impact and risk assessments, as well as legal obligations towards data subjects and data protection authorities in the event of a data breach.

The Working Paper concludes by providing useful background information, including a thorough description of cloud computing and a succinct analysis of the economic drivers behind cloud computing.

• An introduction of new Australian privacy principles to replace the current Information Privacy Principles that apply to federal agencies and the National Privacy Principles that apply to the private sector;
• More stringent regulation of personal information used for direct marketing;
• Privacy protections for unsolicited personal information;
• Easier access for consumers to correct their personal information;
• Updated credit reporting rules;
• An accountability-based approach to data transfers; and
• Greater powers for the Privacy Commissioner.

Former Australian Privacy Commissioner Malcolm Crompton, Managing Director of Information Integrity Solutions (IIS) and a leading observer of data protection reform, said that the reform package will probably move through the Parliament with minimal changes in light of the reviews that already have been conducted.

Commissioner Reding referred to the DPAs as the “eyes and ears on the ground” and the daily enforcers of European data protection rules. Commissioner Reding indicated that the proposed Regulation would result in greater responsibilities for companies (e.g., accountability, privacy by design, privacy impact assessment), improvements for individuals (e.g., clarification and reinforcement of citizens’ rights), and the empowerment of DPAs through better enforcement tools, including the authority to impose fines that give DPAs “the teeth they need.”

Commissioner Reding acknowledged that “delegated acts are the source of some questions and even controversy.” She reassured the audience that delegated acts were created and included in the proposed Regulation to allow the rules to be adapted to future technological developments and were not “an undemocratic procedure that would allow for a power grab by the Commission.” Commissioner Reding assured the DPAs that the European Commission was not seeking to become a “super-data protection authority,” and indicated that if the opinions of the European Data Protection Board (i.e., the former Article 29 Working Party) were made binding through delegated acts, the DPAs’ opinions would carry more weight.

Commissioner Reding also addressed the DPAs’ concerns with their own funding and staffing, and announced her intention to develop “objective guidelines for an ideal, effective, financially independent national data protection authority” by summer 2013. Commissioner Reding mentioned that a “one-stop-shop approach” would benefit DPAs by saving their resources through increased coordination and information sharing. She emphasized her goal of working towards greater interoperability in international data transfers and applauded the positive developments in the U.S., citing the need for regulatory action in areas such as “mobile data protection, privacy rules for children, profiling [and] consent.”

Commissioner Reding concluded her speech by calling the proposed Directive, which also appears in the data protection reform package, a significant improvement over the present Framework Decision of 2008. The Commissioner asked for support from the DPAs to help maneuver the complete data protection reform package through the EU legislative process with the ultimate goal of passing the data protection reform by summer 2013.

Cyber Intelligence Sharing and Protection Act

Pursuant to CISPA, the Director of National Intelligence is required to establish procedures that would allow the intelligence community to share “cyber threat intelligence” with private-sector entities, and to encourage the sharing of such intelligence. In addition, “cyber security providers,” such as Internet service providers, would be allowed to share “cyber threat information” with certain private entities and the federal government. “Cyber threat information” includes information directly pertaining to a vulnerability of, or a threat to, a system or network of a government or private entity.

The House made several amendments to CISPA prior to passing it. Under the proposed draft bill, there was no requirement to shield any personally identifying information that may be included in the cyber threat information. The proponents of the bill claimed that some of the amendments were aimed at addressing these privacy concerns.

• One amendment limits the federal government’s ability to use shared cyber threat information to one of five enumerated purposes: (1) cyber security, (2) investigation and prosecution of cyber security crimes, (3) protection of individuals from death or serious bodily harm, (4) protection of minors from sexual exploitation or physical threat, or (5) protection of national security.
• Another amendment provides that the federal government may not use shared “information that identifies a person” contained in (1) library circulation records, (2) library patron lists, (3) book sales records, (4) book customer lists, (5) firearms sales records, (6) tax return records, (7) educational records, or (8) medical records.

CISPA also includes a provision that limits the liability of private entities from sharing cyber threat information, but the adopted version does not include provisions regarding the protection of critical infrastructure systems, as was proposed by the Obama Administration and recommended by military and intelligence experts.

Federal Information Security Amendments Act

The proposed amendments would require agencies to (1) ensure the sufficiency of their information security programs, (2) continuously monitor the security of federal information systems, and (3) appoint a chief information security officer or senior official to oversee information security programs and enforce compliance. Pages 2-3 of the Federal Information Security Amendments Act outline the following purposes for the amendments:

• provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;
• recognize the highly networked nature of the current Federal computing environment and provide effective Government wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities assets;
• provide for development and maintenance of minimum controls required to protect Federal information and information infrastructure;
• provide a mechanism for improved oversight of Federal agency information security programs and systems through a focus on automated and continuous monitoring of agency information systems and regular threat assessments;
• acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the Nation that are designed, built, and operated by the private sector; and
• recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

Both bills are now headed to the Senate for approval.

The Singapore government intends to enact the data protection legislation in 2012. The stated purpose of the Act “is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.” The legislation is intended to protect only data that has a “link” to Singapore, and recognizes that data controllers, not data processors, are responsible for compliance with the law. The Ministry aims to put in place forward-looking legislation that will function as part of the infrastructure for cloud computing and modern analytics.

The Centre’s comments focus on two issues:

1. The over-reliance on consent in the legislation; and
2. assuring that the “link” to Singapore is limited to data originating in Singapore, or from Singapore residents while they are physically located in Singapore, and does not include information collected by processing centers in Singapore that receive data from other jurisdictions.

The proposed legislation is consent-based. In most instances, an organization will need to get consent from the individual before his or her information may be processed. Although the Act includes a laundry list of exemptions, there is no mechanism that would allow an organization to invoke its legitimate business interest to process information when consent is inappropriate and there is no other applicable exemption in the law. The Centre suggests more flexibility to allow organizations to balance their needs against potential risks to individuals, and the comments describe how that process might work.

The Centre believes that the plain language of the legislation is not consistent with the legislative objective of restricting the scope to data that is truly Singapore data. The comments highlight the flawed section and suggest it be addressed to meet legislative objectives.

In particular, the CNIL’s inspections will focus on a number of issues including:

• Smart phones: The CNIL intends to continue exploring new uses of smart phones by focusing on data collection both (1) when a customer registers with a mobile operator and (2) through monitoring of the customer’s usage (e.g., use of online services, download and use of applications). Scrutiny will focus on the data collection practices of both mobile operators and mobile application providers.
• Health data security: Following up on the efforts initiated in 2011, the CNIL will pay close attention to the development of personal medical records, and also will scrutinize medical research, online health-related applications and healthcare providers. The storage of health records using cloud computing solutions will be of particular interest.
• Data breaches: The CNIL’s focus on data breaches in 2012 follows naturally from the introduction of a regulation, which came into effect on August 24, 2011, that imposes a data breach notification requirement on electronic communications service providers. Providers of publicly available electronic communications services are now required not only to notify the CNIL of data breaches, but also to notify the individuals concerned when the data breach “affects their personal data or private life.”
• Sports and hobbies: The CNIL has decided to further examine how personal data are processed within the main French sports federations, including with respect to issues related to the disclosure of data to third parties and blacklisting.
• Police records: Following a parliamentary report on the topic, the CNIL will organize a series of data protection inspections to examine the internal operating services of the police.
• Databases related to day-to-day activities: The CNIL finally will address a general call for transparency by conducting a broad survey of data processing by large-scale companies that handle millions of citizens’ personal data on a daily basis (e.g., water, electricity, gas, highway operators).