Privacy & Information Security Law Blog

Senator Urges Privacy Oversight Board Nominations

Hunton & Williams LLP — Fri, 12 Mar 2010 11:20:00 -0500

According to BNA’s Privacy Law Watch, on March 8, 2010, Senator Patrick Leahy asked President Obama to nominate members for the dormant Privacy and Civil Liberties Oversight Board. The Board, which was created in 2004 upon the recommendation of the 9/11 Commission, focuses on ensuring that privacy and civil liberties concerns are incorporated into anti-terrorism laws and regulations. Although President Obama had pledged in May 2009 to reconstitute the board, which has had no members since January 2008, privacy advocates say that his focus on cybersecurity issues has delayed the nomination process.

Hacking Overtakes Theft and Loss as Leading Cause of Reported Security Breaches

Hunton & Williams LLP — Fri, 12 Mar 2010 09:15:22 -0500

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft. The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking. The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

Notwithstanding the study’s findings, it remains impossible for an independent party to provide definitive numbers on breaches, or to assess accurately the causes behind all data security incidents. Although the vast majority of states require some form of notification of security breaches, formal notification requirements are rare outside the United States. Even in the U.S., many breach notification laws require notification only of certain types of breaches, such as breaches of data stored in electronic format. Moreover, as the ITRC report points out, not all of the laws require reporting of the cause of the breach, and the percent of breaches for which no cause was reported exceeds the percent attributed to hackers. Perhaps most importantly, many breaches—especially those caused by hackers—go undetected. And under many laws, even those that are detected need not be reported if the breached entity determines that the breach poses no risk of harm to the affected individuals. As of this writing, the ITRC’s tally for 2010 counts 146 breaches exposing over 2.8 million records.

European Court of Justice Rules on German DPA System

Hunton & Williams LLP — Wed, 10 Mar 2010 14:31:41 -0500

On March 9, 2010, the European Court of Justice ruled that the Federal Republic of Germany’s practice of “state supervision” over data protection authorities violates EU Data Protection Directive 95/46/EC. The case, brought by the EU Commission, is a milestone which will force Germany to change the structure of its DPA system and could have ramifications in other countries as well.

The Court’s decision is based on Article 28(1) of the Directive, which requires that data protection authorities (“DPAs”) act with “complete independence.” German law makes a distinction with regard to DPA supervision depending on whether the data processing is carried out by public or non-public bodies. There are therefore different authorities responsible for monitoring public entities’ compliance with data protection provisions versus those that monitor compliance by private parties and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) outside the public sector (such as transportation and utility companies).

At the federal level, data processing by public bodies is supervised by the Federal Commissioner for the protection of personal data and freedom of information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit). At the regional level, supervision is carried out by the commissioners responsible for regional data protection (Landesdatenschutzbeauftragte). These commissioners are responsible solely to their respective parliaments and normally are not subject to any scrutiny, instruction or other influence from the public bodies they supervise. However, the organization of the authorities responsible for supervising private entities’ data processing varies among the regions, and all the laws at the regional level expressly subject those supervisory authorities to state scrutiny.

In the judgment, the European Court of Justice emphasized that the EU Data Protection Directive requires “complete independence” of the work of the competent DPAs. It held that the Federal Republic of Germany had implemented this requirement incorrectly by subjecting the DPAs to state control. In this regard, the Court’s opinion differed from the view of Advocate General Mazák, who stated in October 2009 that state supervision over DPAs does not mean the DPAs cannot execute their work completely independently. In contrast, the European Court of Justice held that the DPAs for the private sector should not be subject to any outside influence.

Even before the Court’s decision, some of the German federal states had already begun to reorganize the responsibilities for supervision of data protection and to unify supervision. This judgment will force the remaining federal states to do so as well, and could lead to an overhaul of the organization of DPAs in Germany. Moreover, the judgment will most likely also have broader implications across Europe, given that a number of DPAs in other Member States are also not believed to work with complete independence. Reorganization of DPAs to give them more independence could also result in more compliance and enforcement actions, and may raise the threshold for the European Commission to issue adequacy decisions concerning the level of data protection in other countries.

Dr. Jörg Hladjk, an associate in the Brussels office of Hunton & Williams, discussed the decision in an article published in the BNA’s Privacy Law Watch™ on March 10, 2010.

LifeLock to Pay $12 Million Over False Claims of Identity Theft Protection

Hunton & Williams LLP — Tue, 09 Mar 2010 17:56:08 -0500

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services. The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers. The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity theft, and only limited protection against other types of fraud.

The FTC’s complaint and further details concerning the settlement are available on the FTC’s website. The FTC also has posted a page to provide information on the redress program for current and former LifeLock customers.

Brill and Ramirez Confirmed as FTC Commissioners

Hunton & Williams LLP — Fri, 05 Mar 2010 11:08:22 -0500

On March 3, 2010, the Senate unanimously confirmed the nominations of Julie Brill and Edith Ramirez to serve as FTC Commissioners for seven-year terms. Most recently, Ms. Brill has served as Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina. She was formerly Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and has served as Chair of the Committee on Privacy for the National Association of Attorneys General. Edith Ramirez is a partner at Quinn Emanuel Urquhart Oliver & Hedges, LLP in Los Angeles, where she handles complex business litigation matters. In addition to the appointment of Jon Leibowitz as Chairman of the FTC by President Obama, these new appointments will give control of the FTC to the Democrats.

Alberta Privacy Commissioner Concerned about Court of Appeal Decision

Hunton & Williams LLP — Thu, 04 Mar 2010 15:33:04 -0500

Alberta’s Information and Privacy Commissioner, Frank Work, issued a news release regarding the recent Court of Appeal of Alberta decision in Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner). In the case, the Court held that the Information and Privacy Commission has no authority to extend investigation time limits under the Personal Information Protection Act (“PIPA”) after the statutory time limit has expired. Further, if the Commissioner extends the time in an inquiry process within the time limit, he must provide reasons for the extension, and his decision will be subject to judicial review. The Court noted that “[b]lanket or routine extensions seem unlikely to be regarded as reasonable if they cannot also be justified in the specific circumstances of the case.” PIPA is provincial legislation that governs the use of personal information by private sector organizations in Alberta.

In the news release, Commissioner Work expressed concern that, as a result of the Court of Appeal decision, many Albertans “will lose the privacy remedies they thought they received in response to their complaints.” In addition, the decision “simply creates another avenue of judicial review” and “[f]or the poor applicant or complainant, all you are making them do it start all over again.” The news release indicates that Commissioner Work will seek leave to appeal the decision to the Supreme Court of Canada. The Commissioner also will request that the Legislative Assembly of Alberta amend PIPA to address issues raised by the decision.

UK Information Commissioner Asks Organizations to "Deliver the Privacy Dividend"

Hunton & Williams LLP — Wed, 03 Mar 2010 15:53:13 -0500

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection. The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.

The conclusions of the Report are unsurprising, namely that (i) personal information has commercial value, (ii) good data protection can bring business benefits and (iii) there are significant downsides to ignoring data protection. The Report also reiterates the need for direction and accountability on the part of senior management for the organization’s privacy strategy.

Against the backdrop of these conclusions, the Report offers a structured approach for Data Protection Officers to build their own business case to secure privacy investment and build a privacy culture. It highlights the key components of a privacy program, and offers a framework (including examples) for estimating both the value of personal data, and the costs of ignoring data privacy.

In launching the report, the UK Information Commissioner, Christopher Graham, recognized that there can be no ”one size fits all” approach to privacy. Instead, the Report provides practical tools to help organizations of all sizes and across all sectors to build a business case for investing in privacy.” The Commissioner challenges organizations to use the tools necessary to ensure that privacy protection is hardwired into organizational culture and governance, and urges organizations to realize the privacy dividend.

German Federal Constitutional Court Declares Implementation of Data Retention Directive Unconstitutional

Hunton & Williams LLP — Tue, 02 Mar 2010 13:15:11 -0500

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months. This information may be retrieved for law enforcement and safety purposes. Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history.

Highlights from the Court’s decision are detailed below.

According to the Court, the data retention in question is incompatible with the constitutional right of telecommunications secrecy and thus violates the German Constitution. The data that has already been collected must be deleted without undue delay.
The ruling does not, however, exclude the storage of the data in general. The Court did not question the admissibility of the European Directive on Data Retention, which was the basis for the German law.
The judges stated in their ruling that (i) the provisions of the law implementing the European Directive on Data Retention fail to observe the principle of proportionality, (ii) there is a lack of security for the data, and (iii) there is a lack of information regarding the purposes for which the data will be used. The Court also criticized the law’s lack of transparency.
The Court stressed that the mass storage of data is considered a very serious encroachment on fundamental rights with an impact never before seen by the German legal system. For example, the traffic data collected would enable the creation of personality profiles and allow for the tracking of individuals’ movements. Such a threat to fundamental rights must be subject to very strict conditions that are not met by the current German law. The law’s provisions cannot be applied even in a limited or temporary way, and must be annulled. Because there is then no legal basis for the storage, data retention must cease and the previously collected data must be deleted.
The Court requested that the legislature develop strict criteria for data security that can be implemented by telecom companies, with the costs to be borne by the telecom companies since they profit from the telecommunication.
The Court stated that the federal government needs to (i) clarify that the data retained may be used only for law enforcement purposes, (ii) establish a catalogue of crimes serious enough to merit this kind of invasive data retention, and (iii) provide clear instructions to the federal states regarding the extent to which the police may access the data to prevent danger. Because of the perception by individuals of a constant threat of being tracked, the Court stated that the legislature must establish effective transparency rules. Affected individuals must be informed about the data analysis, and sanctions must be imposed for violations of this obligation to inform.
According to the Court, when a request is made to an ISP to disclose the identity of an individual using a specific IP Address, the indirect use of data collected pursuant such a request is subject to less stringent constitutional requirements. In these cases, the authorities are not provided with the data as it is preserved by the ISP, rather they receive just the personal information related to the holder of IP address as identified by the ISP using the data. Systematic, long-term fishing expeditions or individual profiling cannot be carried out through these kinds of disclosure requests. Further, for such disclosure requests only a pre-determined, limited amount of data is used and storage of such data implies much less risk of encroachment on fundamental rights. Accordingly, such disclosure requests may be ordered under less stringent conditions.

French Senate Issues Amended Bill on the Right to Privacy in the Digital Age

Hunton & Williams LLP — Tue, 02 Mar 2010 09:51:53 -0500

On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”). Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.

Among the many amendments, organizations with more than 50 employees accessing or processing personal data would be required to appoint a data protection officer (“DPO”). This obligation also applies to organizations whose data processing activities, such as the processing of sensitive data, biometric or genetic data or judicial data, require prior authorization from the French data protection authority (the “CNIL”). The Bill also makes the DPO the central figure in the data compliance process, thereby strengthening the DPO’s role within an organization. Acting in an independent manner, a DPO must inform and advise any person working on behalf of the data controller on issues relating to data protection, as well as maintain and regularly update a list of all the data processing activities carried out by the data controller.

The DPO also would play a central role in the handling of data security breaches. In the event of a data security breach, the data controller must inform the DPO without delay or, in the absence of a DPO, the CNIL must be informed. Upon learning of a breach, the DPO must immediately take all the necessary measures to (i) restore the integrity and confidentiality of the data, and (ii) notify the CNIL of the incident. The DPO also must maintain an inventory of all data security breaches suffered by the organization.

The Committee’s Bill will be put to a vote before the general assembly of senators on March 23, 2010. Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who were consulted by the Senate in the course of drafting the amended Bill.

The Bill and the second Report are available (in French) on French Senate’s website.

Article 29 Working Party Issues Opinion on the Concepts of Controller and Processor

Hunton & Williams LLP — Mon, 01 Mar 2010 15:38:15 -0500

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC. The full text of the Opinion (in English) has been made public on the Dutch DPA’s website.

The interaction between data controllers and data processors is essential in the application of Directive 95/46/EC, not least because the concepts determine who will be responsible for compliance with data protection rules and how data subjects can exercise their rights. However, the increasing complexity of the environment in which these concepts are used has given rise to new and difficult issues. The Opinion emphasizes the need to allocate responsibility between data controllers and data processors so that compliance with data protection rules are upheld sufficiently. Despite the impact of information and communication technologies and globalization, the Working Party concluded that the current distinction between data controllers and data processors remains relevant and workable. The following points are of particular importance:

Regarding Data Controllers

first and foremost, the role of the concept of a data controller is to determine who will be responsible for compliance with data protection rules (i.e., allocation of responsibility) and how data subjects can exercise their rights in practice;
the concept of a data controller also is essential in determining which national law is applicable to a processing operation/ set of processing operations;
the concept of a data controller is autonomous, (i.e., it should be interpreted mainly in accordance with Directive 95/46/EC), and functional (i.e., it is based on a factual rather than formal analysis);
determining the “purpose” of processing triggers the qualification of (de facto) data controller;
determining the “means” of processing can be delegated by the data controller (as far as technical or organizational questions are concerned), however, substantial questions that are essential to the core of lawfulness of processing (e.g., type of data to be processed, length of storage, access, etc) are to be determined by the data controller.

Regarding Data Processors

the qualification of a data processor depends on the decision of the data controller, who may decide to process the data within his organization, or to delegate all or part of the processing activities to an external organization;
two basic conditions arise for qualifying as a data processor: (a) being a separate legal entity with respect to the data controller; and (b) processing personal data on behalf of the data controller;
the role of a data processor stems from its core activities in a specific context and with regard to specific sets of data or operations.

FTC Set to Appeal the Red Flags Rule Exemption for Attorneys and Law Firms

Hunton & Williams LLP — Mon, 01 Mar 2010 12:48:31 -0500

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC. The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms. The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent and mitigate the risk of identity theft. Prior to the district court’s decision, the FTC had taken the position in publications and numerous panels that attorneys and law firms meet the Rule’s definition of “creditor” because they allow clients to pay for legal services after the services are rendered.

To read more about the Red Flags Rule, please see our previous blog posts.

View the FTC’s notice of appeal.

Senior Google Executives Sentenced for Violation of Italian Privacy Laws

Hunton & Williams LLP — Wed, 24 Feb 2010 10:47:13 -0500

In February 24, 2010, an Italian court in Milan found three Google executives guilty of violating applicable Italian privacy laws. The executives were accused of violating Italian law by having allowed a video showing an autistic teenager being bullied to be posted online. The Google executives, Senior Vice President and Chief Legal Officer David Drummond, Chief Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes, were fined and received six-month suspended jail sentences.

The case, which is the first of its kind, was brought by a public prosecutor in Milan and did not involve Italy’s data protection authority, the Garante. It calls into question the interpretation of European privacy laws as it appears to suggest that employees of organizations that provide services such as Google Video and YouTube, may be found criminally responsible for content that users upload, even though they have no control over such content. The case also suggests that hosting and social networking providers may no longer rely on the EU safe harbor that absolves them of liability for the content posted on their websites, provided they remove unlawful content as soon as they are notified of its presence.

Concerns also have been expressed with respect to the impact of the ruling on the principles of freedom on which the Internet was founded, including freedom of speech and freedom of information. Arguably, if hosting and social networking providers are required to screen or vet all content uploaded to their websites, such freedoms are jeopardized, as is the very existence of such organizations. In the words of Richard Thomas, the UK’s former Information Commissioner and Senior Global Privacy Advisor to Hunton & Williams, the case is “ridiculous” and “it is unrealistic to expect firms to monitor everything that goes online.”

FTC Warns Organizations of P2P-Related Data Security Breaches

Hunton & Williams LLP — Tue, 23 Feb 2010 18:25:55 -0500

On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud. In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers. The letters also recommended that the companies identify affected individuals and consider whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws. Samples of the FTC’s letters were published with the news release and are available on the FTC’s website.

In addition, to help companies manage security risks related to P2P networks, the FTC published a Guide for Businesses on Peer-to-Peer file sharing and provided a link to a P2P Security Guide for consumers.

Hunton & Williams partner, Lisa J. Sotto, discussed the FTC’s release in USA Today's Technology Live Blog.

Massachusetts Information Security Regulations Take Effect on March 1, 2010

Hunton & Williams LLP — Tue, 23 Feb 2010 13:38:31 -0500

After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.

The regulations require entities to develop, implement and maintain a written, risk-based information security program that takes into account the entity’s size, nature of its business, types of records it maintains and the risk of identity theft posed by the entity’s operations. Also set out in the regulations are numerous administrative, technical and physical safeguards that the required information security program must include.

Finally, the regulations require covered entities to take steps to select and retain service providers that are capable of appropriately safeguarding personal information. Covered entities must contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements; provided, however, that service provider contracts entered into no later than March 1, 2010, are exempt from complying with this requirement until March 1, 2012.

To read more about compliance with the new regulations, please see our Client Alerts (from February 2009 and from September 2008) and our previous blog posts.

View the Massachusetts regulations.

Supreme Court Sets Oral Argument in Quon v. Arch Wireless for April 19, 2010

Hunton & Williams LLP — Mon, 22 Feb 2010 13:50:46 -0500

The U.S. Supreme Court has set oral argument for April 19, 2010, to review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co. Although Quon concerns the scope of privacy rights afforded to public employees under the Fourth Amendment, the case also has forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies. Unlike government employers, private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures; instead, they must comply with federal wiretap statutes and state law. In practice, however, the “reasonable expectation of privacy” test courts apply to state common law privacy claims that govern private employers is virtually identical to the Fourth Amendment test. Accordingly, the Supreme Court’s review of the Constitutional test likely will affect how courts view privacy claims brought against private employers.

In reviewing the Ninth Circuit’s decision in Quon, the Supreme Court will consider three issues: (i) Whether a police officer has a reasonable expectation of privacy in text messages transmitted on his department-issued pager, where the police department has an official “no privacy” policy, but a non-policymaking lieutenant announced an informal policy of allowing some personal use of the pagers; (ii) whether the Ninth Circuit contravened the Supreme Court’s Fourth Amendment precedents and created a circuit conflict by analyzing whether the police department could have used less intrusive methods of reviewing text messages transmitted by a police officer on his department-issued pager; and (iii) whether individuals who send text messages to a police officer’s department-issued pager have a reasonable expectation that their messages will be free from review by the recipient’s government employer.

For more information, please see our previous blog post on the Quon case.

HHS Delays Enforcement of HITECH Act Business Associate Provisions

Hunton & Williams LLP — Fri, 19 Feb 2010 16:18:38 -0500

We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published. The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule. Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.

The Office for Civil Rights (“OCR”), which enforces HIPAA’s Privacy and Security Rules, has stated publicly that it is carefully evaluating how to proceed with HIPAA enforcement. For example, Section 13411 of the HITECH Act requires HHS to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations. At the 18th Annual National HIPAA Summit in early February, Sue McAndrew, the OCR’s Deputy Director for Health Information Privacy, explained that there are “1,000 ways” to conduct HIPAA audits and that OCR is working with a HIPAA expert to “map out essentially the range of options” to determine how best to effectively conduct HIPAA audits.

Despite the delay in enforcement, covered entities and business associates should take necessary actions to comply with the HITECH Act’s requirements. Please see our client alert on HITECH compliance for more information.

Failure to Secure Wireless Network Defeats ECPA Claims

Hunton & Williams LLP — Fri, 12 Feb 2010 11:24:54 -0500

A computer user’s failure to secure his wireless network contributed to the defeat of his claim that a neighbor’s unwelcome access to his files violated the Electronic Communications Privacy Act (ECPA). The ECPA places restrictions on unauthorized interception of, and access to, electronic communications.

In United States v. Ahrndt, No. 3:08-cr-00468-KI (D. Or. Jan. 28, 2010), Ahrndt argued that his neighbor violated the ECPA when she connected to his unsecured wireless network and accessed his iTunes library while a police officer observed. The court noted that under the ECPA, it is not unlawful for any person “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” Because Ahrndt’s wireless network was broadcast in a 400 foot radius around his house, and because his iTunes program was configured to automatically share files with any computer that joined that network, the court held that the wireless network was “readily accessible to the general public,” and rejected Ahrndt’s ECPA claim. For similar reasons, the court also denied the defendant’s Fourth Amendment claim, finding that he had no reasonable expectation of privacy in his wirelessly broadcast iTunes files.

European Parliament Rejects the SWIFT Agreement

Hunton & Williams LLP — Thu, 11 Feb 2010 11:15:49 -0500

On February 11, 2010, the plenary of the European Parliament rejected by a vote of 378 to 196 the agreement reached in 2009 between the EU and the U.S. to allow access by U.S. law enforcement authorities to the payment database of the financial consortium SWIFT. The agreement had been negotiated between the EU Council of Ministers and the European Commission with the U.S. government to allow continued access to the database, a mirror copy of which had been moved by SWIFT from the U.S. to Europe. With the Lisbon Treaty’s entry into force, the Parliament gained new powers to approve measures affecting law enforcement and civil liberties, and a number of members of the Parliament have expressed concern regarding the level of data protection provided for in the agreement. According to news reports, several top U.S. government officials (including Secretary of State Hillary Rodham Clinton and Treasury Secretary Timothy Geithner) had been lobbying the European Parliament to approve the agreement, on the grounds that it was essential to fight terrorism in both the U.S. and Europe.

The rejection of the agreement sends the EU and the U.S. back to the drawing board to negotiate a new agreement, this time with the participation of the Parliament. The vote illustrates the enhanced powers of the Parliament in data protection and privacy matters under the Lisbon Treaty, and the dangers that companies face when caught between U.S. law enforcement requirements on the one hand and EU data protection restrictions on the other.

UK Airports Implement Compulsory Use of Full Body Scanners

Hunton & Williams LLP — Tue, 09 Feb 2010 13:46:56 -0500

On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights. This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports. The move has raised concerns about the excessive collection of personal data.

The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators. The privacy policy should include as a minimum:

rules regarding the location of the equipment;
a process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
a process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
a prohibition on copying or transferring the images in any way;
instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
a process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The use of body scanners caused alarm in the privacy community when it was first mooted several years ago. The concern was that scanners could violate the European Convention on Human Rights and that their use would raise sensitivities (or even result in the commission of criminal offenses) when used to capture images of children. Towards the end of 2008, the European Commission withdrew a proposal to roll out body scanners across the EU after Members of the European Parliament called for a detailed impact assessment study. This resulted in the formation of a Body Scanners Taskforce, appointed to advise the Commission. A report, or any specific legislative proposals, have yet to be published.

The use of scanners has been discussed previously in France and Germany. In France, the proposal was dropped due to privacy concerns. The German Data Protection Commission has indicated it believes the machines infringe on the privacy of both adults and children, but the German news outlet Spiegel Online recently suggested that the machines may yet be installed in German airports following tests by Germany’s federal police.

Meanwhile, in a Canadian report published in March 2009, the Ontario Privacy Commissioner, Dr. Ann Cavoukian, approved the usage of the screening technology, commenting that as long as the scanners “incorporate strong privacy filters … [they] can deliver privacy-protective security.”

The British Department of Transport will continue to develop the Interim Code of Practice. The Department has announced that it will launch a full public consultation on the requirements relating to the use of scanners as set out in the Interim Code of Practice, and it will publish a Final Code of Practice later in the year. In the meantime, it is likely that additional airports in the UK and elsewhere in Europe will subject travelers to full body scans.

Privacy and Data Security Risks in Cloud Computing

Hunton & Williams LLP — Fri, 05 Feb 2010 16:58:54 -0500

Cloud computing raises complex legal issues related to privacy and information security. As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments. In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.