Google Inc. v. Vidal-Hall: Opening the Doors to EU Data Protection Litigation?
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.
Data Protection Legislative Hot Topic
Cyberthreat Sharing Bills Gain Momentum. On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2015 (“CISA”) to increase sharing of cybersecurity threat information by U.S. companies on a vote of 14-1. The legislation grants liability protections for companies that voluntarily share cybersecurity threat information with the government or industry partners. The measure should be scheduled for a vote on the Senate floor shortly.
Reclassification of broadband Internet services will have impact on privacy of telecommunications customers’ data
On February 26, 2015, the Federal Communications Commission (FCC) passed the Open Internet Order to reclassify “broadband Internet access service” as a telecommunication service under Title II of the Communications Act of 1934. In doing so, the FCC found that applying section 222 of the Communications Act to broadband Internet access services is in the public interest and necessary for the protection of customers. Section 222 imposes a duty on telecommunications carriers to protect the confidentiality of proprietary information obtained from their customers or other carriers, and imposes special rules for use and disclosure of information related to customers’ phone service and usage, known as customer proprietary network information (“CPNI”).
Increasing Scrutiny of Insurance Companies’ Cybersecurity Preparedness
“A question we often get as financial regulators is: ‘What keeps you up at night?’ The answer is ‘a lot of things.’ But right at the top of the list is the cybersecurity at the financial institutions we regulate.”
Benjamin Lawsky, prepared remarks from speech at Columbia Law School on February 25, 2015.1
Insurance regulators are gearing up to impose enhanced scrutiny on information security practices to boost protection of sensitive personal information.
European Court of Justice Finds ‘Right to be Forgotten’ and Compels Google to Remove Links to Lawful Information
A recent judgment of the highest court in the European Union announced that search engines within the court’s jurisdiction must respond to “right to be forgotten” requests. This authoritative interpretation of the existing data protection laws may create significant issues for Internet intermediaries and exacerbate the differences between the European privacy-based “right to be forgotten” and the United States’ free-speech based “right to remember.” This judgment will have a significant impact not only on search engine companies and publishers, but also on many other industries, including financial services and life sciences, that need to maintain data on individuals for legitimate business reasons, often for lengthy periods.
Broker-Dealers Need to Respond to Recent Focus on Cybersecurity Threats
Recent data breaches at retailers like Target have increased awareness about growing cybersecurity threats. Broker-dealers in particular need to reevaluate their own cybersecurity preparedness in light of several recent events:
- FINRA’s launch of a cybersecurity sweep, publicly announced on the FINRA website on February 6, 2014;
- The inclusion of cybersecurity as a priority in the SEC’s National Examination Program for 2014 and FINRA’s 2014 Annual Regulatory and Examination Priorities Letter;
- The White House’s February 12, 2014 release of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity; and
- An upcoming SEC public roundtable on cybersecurity issues, to be held in Washington, DC on March 26, 2014.
Business Concern over Amendments to Proposed EU Data Protection Regulation
The European Parliament’s Civil Liberties Committee has published its draft report on the proposed EU Data Protection Regulation that is causing concern for many corporations. http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.
The report sets out amendments to the draft EU data protection regulation published by the European Commission last January (the “Regulation”)
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.
Despite being one of the most lobbied pieces of European legislation, many will be disappointed that as amended the draft Regulation still imposes very significant burdens on businesses that are in the EU, or which are outside the EU but offer goods or services to EU customers, with fines of up to 2% of annual worldwide turnover.
EU Website Cookie Consent Requirements Now Being Enforced
The deadline of 26 May 2012 for businesses to comply with new EU website cookie consent requirements in the UK has now passed. Under the EU’s amended e-Privacy Directive 2002/58/EC new rules were introduced last year for businesses to obtain the consent of website users to place cookies on a user’s computer. Although EU Member States were required to implement the consent requirements by 25 May 2011, the UK’s Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period to become compliant with the new law which ended on 26 May 2012. Many other EU Member States have still to implement the cookie consent requirements with only 20 of the 27 Member States having so far implemented the requirements into their national laws.1
First Look: Leaked Draft of New EU Data Protection Regulation Suggests Significant Impacts for Global Businesses
A draft of a new EU Regulation on Data Protection to replace the existing EU Data Protection Directive was released un-officially earlier this week. The draft Regulation once adopted will have a significant impact on virtually all businesses established in the EU, or who carry on business with the EU, introducing significant internal compliance requirements and fines that range up to 5% of worldwide turnover.
In an article published by the Bureau of National Affairs, John Casanova and William Long of the London office of Sidley Austin and Alan Raul and Ed McNicholas of the Sidley Washington office provide their initial analysis of this significant new EU development. For further information on this development and other EU data protection requirements please contact John Casanova or William Long and for counseling in relation to US privacy issues please contact Alan Raul.
Reproduced with permission from Privacy & Security Law Report, Vol. 10 PVLR No. 48, 12/12/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
Business Concern Over New EU Consent Requirement to Use Website Cookies
New EU cookie consent requirement
Amendments to the EU’s ePrivacy Directive have meant that since 25 May 2011 the EU has required website operators to obtain the consent of users to the use of cookies. This is a significant development and it is causing considerable concern among businesses. The new consent requirements for use of cookies, which consist of small text files that are used by virtually every website to recognise a user’s computer and collect information on a user’s activities and preferences, has caused a storm of debate as regulators and businesses struggle to find a practical way of obtaining consent.