Category

Online Privacy

31 October 2016

ICO Updates Guidance on Privacy Notices

The EU Data Protection Directive requires that data be processed fairly, which includes providing individuals with certain information about how a business uses their data, for example, by way of a privacy notice.  These information requirements will be enhanced under the new EU Data Protection Regulation (“GDPR“), which will require many companies to review and amend their employee and customer notices, consents and policies (including privacy notices).

(more…)

SHARE
EmailPrintShare
18 October 2016

G7 Sets Guidelines for Cybersecurity for the Financial Sector

As the financial services sector becomes ever more reliant on new technologies to decrease costs and create more efficient systems, it becomes more vulnerable to cyber attacks. On October 11, 2016, the Group of Seven (“G7”) industrial nations agreed on a set of guidelines to combat the cyber risks that are “growing more dangerous and diverse, [and] threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems.” These issues have been particularly visible following a number of high profile cybersecurity attacks at financial institutions.

(more…)

SHARE
EmailPrintShare
07 September 2016

Why Design Matters: It Can Determine Whether an Online Agreement is Enforceable

*Updated on September 8, 2016

The Southern District of New York recently issued a ruling that raises new issues with customer consent and arbitration contracts in a simple click-through agreement, adding to the increasing judicial skepticism over the enforceability of browse-wrap agreements, despite the Supreme Court’s seeming endorsement of consumer arbitration clauses in AT&T Mobility v. Concepcion, 563 U.S. 333 (2011), based on preemption by the Federal Arbitration Act. Soon after this decision, however, the Ninth Circuit issued a ruling that went the other way and found that the arbitration terms in Uber’s terms and conditions were enforceable. Central to these cases has been findings relating to the degree to which terms of use can be considered binding.

(more…)

SHARE
EmailPrintShare
29 August 2016

Despite Lenient View of Standing, Appellate Court Dismisses “Clearly Meritless” Case on 12(b)(6) Grounds Not Considered by the District Court; Lessons Abound

In Carlsen v GameStop, Inc. the Eighth Circuit held that a plaintiff had standing to bring privacy claims that his personal information, specifically web browsing data, was provided to a third party in violation of an allegedly express agreement not to do so (namely, the defendant’s privacy policy). The district court had previously dismissed the complaint on the grounds of lack of standing because the plaintiff – a paying customer of Gamestop’s online video game magazine – failed to allege that he paid any specific amount for the privacy policy or that he bargained for any additional privacy beyond what non-paying users obtained. However, even though the district court did not consider the defendant’s 12(b)(6) motion to dismiss the complaint on grounds of failure to state a claim, the appellate court nonetheless affirmed the dismissal on that basis.

(more…)

SHARE
EmailPrintShare
26 August 2016

German guidance on employee monitoring a reminder to carefully craft Acceptable Use Policies

Earlier this year, German data protection authorities issued guidance (in German) for companies regarding monitoring employees’ work email account and Internet usage.  The guidance establishes a framework based on the German Federal Data Protection Act (“FDPA”) and whether the employer allows employees to use their work email and Internet services for personal use.  Where personal use is prohibited, the data protection recognize a greater scope for monitoring.  The guidance also recognizes that employers may randomly check employees’ Internet use to ensure it is being used only for business purposes.  Further, employers may access an employees’ sent and received emails during a long absence if required for business purposes.

(more…)

SHARE
EmailPrintShare
08 August 2016

Second Circuit Microsoft Ruling: A Plea for Congressional Action

*This article originally appeared in Law360 on August 1, 2016.

On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a long-awaited decision that — to the surprise of many observers — rejected the government’s construction of the Stored Communications Act and instead embraced a more restrictive view that Microsoft Corp. had advanced, backed by much of the tech industry and many privacy groups. The decision holds that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions — not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, entirely by using computers and personnel based here in the United States. Microsoft Corp. v. USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985).

(more…)

SHARE
EmailPrintShare
04 August 2016

HHS Office for Civil Rights Updates Its Website with Guidance on HIPAA Audits and Unique Device Identifiers (UDIs)

HHS-OCR has updated its website with guidance on two important and current issues: ongoing HIPAA audits and deidentification.  After officially launching phase two of its audit program earlier this month, sending notification letters to 167 covered entities, HHS-OCR has posted updated guidance on its website regarding the audits.  Unrelated to the audits, OCR also posted guidance on the treatment of unique device identifiers (UDIs) under HIPAA’s standards for de-identification and limited data sets.

(more…)

SHARE
EmailPrintShare
03 August 2016

Russia announces new laws requiring telecoms, internet service providers retain personal data and increasing penalties for online hate speech

On July 7, Russian President Vladimir Putin signed a law amending existing anti-terrorism legislation that could affect U.S. telecom and internet service companies operating in Russia.  It will require that telecommunications operators and internet service providers (“ISPs”) retain up to 6 months of data, including personal data and communications content, as well as metadata, for periods up to 3 years.  Further, if any encryption is used to protect the data, the telecommunication or internet service provider must provide the Russian authorities the decryption technology.

(more…)

SHARE
EmailPrintShare
26 July 2016

Second Circuit Sides With Microsoft; Data Exclusively Stored On Foreign Servers Not Subject to SCA Search Warrant

On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a long-awaited decision that—to the surprise of many observers—rejected the government’s construction of the Stored Communications Act (SCA) and instead embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups.  Microsoft Corp. v USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985).  (Sidley Austin LLP represented a number of amici in support of Microsoft before the Court of Appeals and District Court.) The decision holds that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions—not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, by using computers and personnel based here in the United States.

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator