Tag Archives: Data Security

Dutch Data Protection Authority Threatens Google with a €15 million fine

The Dutch data protection authority, College Bescherming Persoonsgegevens (CBP), released a cease and desist order requiring Google to pay €60,000 per day, up to a maximum of €15 million, for violating Dutch data protection law, Wet bescherming persoonsgegevens(Wbp). Google has until the end of February 2015 to change the way it handles personal data. The … Continue Reading

EDPS publishes Guidelines on data protection in EU financial services regulation

The European Data Protection Supervisor published ‘Guidelines on data protection in EU financial services regulation’ (Guidelines) to be used as a “practical toolkit for ensuring that EU data protection rules are integrated when developing EU financial policies and rules.” The Guidelines address the processing of personal information involved in supervising financial markets, particularly through the … Continue Reading

EU Art. 29 Assesses Cybercrime Assessment

The Article 29 Data Protection Working Party (Working Party) sent a letter to the Council of Europe discussing its first assessment of several cybercrime scenarios presented at the 2014 Cybercrime@Octopus conference (Conference). The scenarios that sought to create “discussion on the consequences of data protection legislation and principles when obtaining such data in a criminal … Continue Reading

EU Art. 29 Working Party Opinion on the Internet of Things

The EU Article 29 Working Party (WP29) has issued an Opinion on ‘Recent Developments on the Internet of Things’ (Opinion). The Opinion stresses the privacy and security challenges generated by the development of the Internet of Things (IoT), while acknowledging the benefits of IoT to individual lives, and the prospect of significant economic growth within … Continue Reading

ISO develops the first privacy-specific cloud standard

Earlier in 2014, the International Standards Organisation (ISO) developed a new voluntary standard, ISO 27018 (Standard), establishing commonly accepted control objectives and guidelines to protect personal information for a public cloud computing environment. The need to create trust in cloud solutions led to the development of the Standard, in accordance with one of the key … Continue Reading

UK Government releases ‘Bring Your Own Device’ Guidance

In early October, the UK government updated a collection of guidance notes they had issued on ‘bring your own device’ initiatives (BYOD). Given the increase in employees using their personal devices to connect to their employers’ systems, employers in both the private and public sector will welcome this guidance. The ‘BYOD Guidance: Executive Summary’ describes … Continue Reading

UK ICO to endorse privacy seal schemes

The UK Information Commissioner’s Office (ICO) signalled its commitment to approving third-party “privacy seal” schemes following its recent public consultation. The first UK schemes should be operational by 2016. The consultation comes in anticipation of the European Commission’s revised data protection framework proposals, which may include provisions intended to encourage the adoption of privacy seals, … Continue Reading

OWASP releases the results of its Privacy Risks Project

The Open Web Application Security Project (OWASP) published its findings on the ‘Top 10 Privacy Risks’ for 2014. The aim, according to one of the developers of OWASP, was to build a top-10 list of both technical and organisational risks to “help people with developing web applications, or a social network.” The OWASP is an … Continue Reading

Is Your Employee-Monitoring Policy Up to the Job? UK Case Shows Importance of Having the Right Policy

The UK Employment Appeal Tribunal (the “EAT”), in the case of Atkinson v Community Gateway Association UKEAT/0457/12/BA, dismissed the employee’s claim that his right to privacy had been infringed, and confirmed, more generally, that an employer will be entitled to monitor its employees’ workplace emails and Internet use where a clear policy is in place. … Continue Reading

Amendments to Poland’s Data Protection Law Ease the Rules on Data Exports and Data Protection Officers

The Polish Parliament passed the Facilitation of Business Activity Act (source in Polish) which significantly amends the existing Act on Personal Data Protection. The amendments come into force 1 January 2015. The changes mean that the EU Commission’s approved Standard Contractual Clauses for data transfers (“SCCs”) and approved Binding Corporate Rules (“BCRs”) are automatically recognised … Continue Reading

EU Art. 29 Proposes Class Actions to Enforce Privacy Rights

This month, the Article 29 Data Protection Working Party (Working Party) and the French Data Protection Authority (CNIL) held the European Data Governance Forum, an international conference focusing on the issues of privacy, innovation and surveillance in Europe. The conference highlighted many of the issues raised in the Joint Statement released by the Working Party … Continue Reading

Privacy Authorities Urge Mobile Apps to Implement Privacy Policies

In December, 23 privacy authorities – many of which are members of the Global Privacy Enforcement Network (GPEN) – signed an open letter to the operators of seven app marketplaces, urging them to improve consumers’ access to privacy information on mobile apps. The letter states that: Mobile apps that collect data in and through mobile … Continue Reading

Oregon Breach Notification Law Changes on the Horizon

On December 10, Oregon Attorney General Ellen Rosenblum testified in front of the joint Oregon Senate and House Judiciary Committee on the evolving nature of not only data collection and use, but also on cybersecurity incidents and hacking, and the need to amend the Oregon data breach notification law to provide enforcement authority to the … Continue Reading

One Year Later: Consumers Can Proceed Against Target in Data Breach Lawsuit

On the one-year anniversary of Target’s announcement that it had suffered a massive data breach, Judge Magnuson in the District of Minnesota cleared the way for a consumer class action against the retailer to move forward into discovery. Earlier this month, the court ruled that the financial institution class actions can also proceed. In the … Continue Reading

EU Council Agrees on Partial General Approach to General Data Protection Regulation

At the latest meeting in Brussels, Justice ministers agreed on a partial general approach. Andrea Orlando, Italy’s Minister for Justice and President of the Council, expressed the importance of this consensus on one of the “most politically sensitive issues on data protection reform”. The press release states that the partial general approach includes articles which … Continue Reading

UK Public Authority Forced To Identify Private Sector Consultant Under Freedom of Information Act

The First Tier Tribunal General Regulatory Chamber (Information Rights) (the “FTT”), in the case of Alan Matthews v Information Commissioner [2014] EA/2012/0147, ruled that – despite being “personal data” – the name and qualifications of a private consultant should be released in response to a request under the Freedom of Information Act 2000 (“FOIA”). This … Continue Reading

Draft Data Protection Regulation delayed

At the latest meeting in Brussels, Justice ministers failed to come to a consensus on the “one stop shop mechanism” and the role of the proposed European Data Protection Board (EDPB). The minutes state that while a “majority of ministers endorsed the general architecture of the proposal,” “further technical work is required”. Ahead of the … Continue Reading

PCI Seeks to Help Organisations Educate Staff on Information Security with New Guidance

In October, the Payment Card Industry (“PCI”) Security Standards Council published the Best Practices for Implementing a Security Awareness Program Information Supplement (“Supplement”) to help organisations educate their employees on the importance of protecting, the care in handling, and the risks of mishandling sensitive information. The PCI Special Interest Group (“PCI SIG”) developed the Supplement … Continue Reading

EU Art. 29 Releases Guidelines on the Right to be Forgotten

In November, the Article 29 Data Protection Working Party (Working Party) released guidelines as to how the Data Protection Authorities (DPAs) assembled in the Working Party intend to implement the judgment of the Court of Justice of the European Union (CJEU) in the case of Google Spain SL and Google Inc. v Agencia Española de … Continue Reading

FCC’S Notice of Opportunity To Comment on Robocalls and Call-Blocking Issues Raised by 39 Attorneys General

On November 24, the FCC released a wide-ranging public notice seeking comment on a September 9, 2014, letter from the National Association of Attorneys General (NAAG), purportedly written “on behalf of the millions of Americans regularly receiving unwanted and harassing telemarketing calls.” The letter, signed by a bipartisan group of 39 AGs led by Chris … Continue Reading

FCC Confirms that Even Solicited Fax Ads Must Contain Opt-Out Language, and Sets Six-Month Deadline for Companies to Seek a Retroactive Waiver

On October 30, 2014, the FCC issued a much-anticipated ruling (“FCC Order”) resolving several petitions seeking clarification of the opt-out notice requirement regarding advertisements faxed to consumers, contained in the Telephone Consumer Protection Act, section 227 of the Communications Act (“TCPA”). The FCC ruled that all such faxes, even those sent with the recipient’s prior … Continue Reading

Data Security Threats Are on the Rise in the Golden State, According to California Attorney General Kamala Harris

This post was also written by Maytak Chin. A California attorney general’s report released this month shows that data security threats are on the rise in the Golden State. Against a backdrop of increasing security breaches, the report recommends best practices for companies to adopt as a way to reduce their vulnerabilities and to better protect … Continue Reading

Reed Smith attorneys conduct Q&A with Idaho AG

This post was also written by Frederick Lah. Attorney General (AG) Lawrence Wasden is Idaho’s longest-serving AG, having served since his election in 2002. Wasden has been a strong advocate of consumer protection issues related to privacy, such as marketing scams and Internet safety, particularly with respect to teens and children. He also has served as … Continue Reading
LexBlog