UK Expands Right To Be Forgotten

The UK’s Information Commissioner’s Office has decided that the “right to be forgotten” must be implemented on any search engine accessible from within the UK, not just the European versions of those services (such as google.co.uk).  This follows a decision by France’s data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) earlier this year ordering Google to remove links to objectionable search results on all its domains worldwide rather than only on EU domains (such as google.fr).  The EU’s Article 29 Working Party has also issued statements to the same effect.  In a November 2 blog post, the UK’s ICO announced that it had amended its first enforcement notice in a right-to-be-forgotten case so that it now requires Google to remove search results “from all versions of the Google search service directly accessible from within the UK.”

© Copyright 2015 Steptoe & Johnson LLP

International (UK): First-tier Tribunal dismisses Optical Express appeal on marketing texts

Although not local - take note of what consent means when you want to use Personal Information for Direct Marketing - the same principle/condition will apply in the RSA as well:

The First-tier Tribunal has upheld the Information Commissioner’s enforcement notice requiring Optical Express (Westfield) Limited (Optical Express) to stop sending unsolicited marketing texts, in contravention of section 22(2) of the Privacy Regulations 2003 (as amended), to individuals whose details were obtained under data supplier agreements.

Case: Optical Express used personal data provided by a number of suppliers, including Thomas Cook, to send text messages marketing its laser eye surgery. The Information Commissioner received 7506 complaints from individuals about this. Optical Express argued, among other things, that if their suppliers agreed in their contracts to only supply "consented data" that should be sufficient proof of consent. Brian Kennedy QC disagreed, " ... when consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE. Neither was the marketing of specific types of products stipulated ... This falls under the "to guarantee fair processing" category. If the data subject doesn't know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others?" In failing to obtain "proper, fully informed and specific consent", Optical Express had not met the requirements of regulation 22(2) 

Data Protection: How important is it to know what to do if there is a data breach?

Grupo Financiero Banorte, Mexico’s third largest bank, suffered a data breach earlier this year and is now reportedly being fined 32 million pesos ($1.98 million) by the Mexican data protection authority, the National Institute of Transparency, Access to Information and Protection of Personal Data, for failing to inform all of its clients immediately after the hack occurred.  Mexico’s National Banking and Securities Commission is also investigating the matter  and is expected to issue corrective measures.

To formulate and implement an effective incident response solution, including but not limited to an attorney and forensic experts on stand buy, contact Gerrie van Gaalen

International: The Right To Forget Metadata

The UK’s Information Commissioner’s Office (ICO) has enforced the European cyber law’s “right to be forgotten” against Google over search results linked to a minor crime committed by an individual ten years ago.  Last month, the ICO released an enforcement notice ordering the search engine to remove within 35 days nine links associated with the individual’s crime.  In some respects, the decision represents an expansion of the right as it involves removing links to articles about Google's removal of articles about the individual. 

If you need assistance on submitting a request to remove certain information about you from the search engines, then contact Gerrie van Gaalen

© Copyright 2015 Steptoe & Johnson LLP

International:Russia Enacts Right To Be Forgotten Law

Russia has enacted a law requiring search engines to remove website links containing inaccurate, outdated, or unlawfully released personal information.  Much like the European Court of Justice’s ruling in May 2014 establishing a “right to be forgotten” in the EU, Federal Law No. 264-FZ allows Russian citizens to request that search engines remove website links from search results if they contain information that is false, outdated, or violates Russian law.  However, the law does not apply to information about criminal offenses or to search engines operated by federal and municipal authorities.  Individuals may file lawsuits against the search engines if their requests are denied.  The law, which was signed by President Vladimir Putin on July 14, takes effect on January 1, 2016.

© Copyright 2015 Steptoe & Johnson LLP

International: China Seeks To Tighten Control Over Internet With Draft Cybersecurity Law

The Chinese parliament has issued a draft cybersecurity law aimed at “safeguarding China’s sovereignty over cyberspace and national security and public interests.”  The law outlines a plan for a multi-level system to prevent unauthorized network access, and calls for Internet-related industry associations, ISPs, and businesses to strengthen their cybersecurity standards.  It also establishes specific security requirements for operators and suppliers of networks and critical information infrastructure, including a provision that requires ISPs to store on Chinese territory any data collected within China and to obtain government approval before storing data overseas for business purposes.  If enacted, the draft law would allow the Chinese government to expand its online censorship practices and its control over Internet service providers and foreign firms operating in the country.

Sounds like certain movements in South Africa...worrying movements.

© Copyright 2015 Steptoe & Johnson LLP

The “EMV Liability Shift” Is Coming (What Merchants Need to Know)

Interesting read on EMV liability shift - retailers to take note:  http://www.dataprotectionreport.com/2015/05/the-emv-liability-shift-is-coming-what-merchants-need-to-know/ 

International: South Korean Law Promotes, Regulates Cloud Computing Providers

South Korea has enacted a new cloud computing law that promotes the use of cloud computing and provides a legal framework for user privacy protection.  Under the Cloud Computing Development and User Protection Act, cloud computing service providers will have to notify users of any data breach or service outage, as well as comply with existing personal information protection laws.  The law goes into effect September 28, 2015.

© Copyright 2015 Steptoe & Johnson LLP

International Chamber of Commerce launches new cyber security guide for business

The International Chamber of Commerce (ICC) has launched a new, free-to-download cyber security guide for business.

The new guide outlines how businesses can optimise their ability to identify and manage evolving cyber security risks. It was written with managers without an IT background in mind and, as such, adopts a pragmatic and accessible approach to the issues.

Click on link for free-to-download guide: http://www.iccwbo.org/Advocacy-Codes-and-Rules/Areas-of-work/Digital-Economy/Cyber-Security-Guidelines-for-Business/ICC-Cyber-Security-guide-for-business/ 

Contact us  if you need further assistance or to guide you through an appropriate IP&ICT Legal Risk Assessment / Audit

Data protection - App Stores: selling goods without the necessary paperwork?

A group of 23 global data protection authorities has sent a letter to seven of the biggest appstore providers urging them to make the use of privacy policies mandatory for all apps using personal data sold via their platforms. 

The letter follows an enforcement sweep by 26 privacy enforcement authorities involved in the Global Privacy Enforcement Network (GPEN) in September 2014, which aimed to assess whether mobile app providers comply with data protection laws. Among other things, the results of the sweep indicated that 85% of the mobile app providers surveyed did not provide clear information on how the apps collect, process and disclose users' personal data.

The letter states that although app developers clearly have a responsibility to communicate their privacy practices to their users, mobile operating system developers and appstore providers also play a unique and integral role in users' interactions with apps they make available through their stores.

If you need a Mobile app privacy policy, then contact Gerrie van Gaalen

Russia Extends Deadline For Data Localization Law

Russian President Vladimir Putin approved a deadline of September 1, 2015, for companies to relocate their computer servers containing Russian citizens’ #personalinformation within the country’s borders.  The new timeframe for compliance with Russia’s data localization law was approved last month by both the upper house of Parliament and the Duma.  The Duma had previously passed a bill that would have moved the deadline up to January 1, 2015, over a year ahead of the law’s original effective date of September 1, 2016.  Lawmakers agreed to change the date after hearing from affected businesses concerned about the feasibility of setting up the necessary IT infrastructure in time to meet the law’s requirements.

© Copyright 2015 Steptoe & Johnson LLP

#eCommerce, #Privacy: Zappos - hacking of personal information

Zappos  - to pay $106,000 to settle an investigation of a 2012 hacking incident affecting the personal data of the online clothing retailer’s customers.  Under the agreement, Zappos must review its information security policies and train its employees in them, ensure adherence to industry data security standards, and obtain a third-party audit of its practices.

Do you have the necessary policies and training in place to prevent a possible breach of privacy?  Contact us for assistance.

US: Boston Hospital Settles Data Breach Suit Over Unencrypted Laptop

Beth Israel Deaconess Medical Center in Boston has agreed to pay $100,000 to settle the Massachusetts Attorney General’s lawsuit over a 2012 data breach involving the theft of a physician’s unencrypted laptop.  In addition to the financial penalty, the hospital will also have to revise its data security measures to ensure compliance with state and federal law.  The consent agreement requires BIDMC to track and encrypt all hospital-purchased devices and to implement ActiveSync or other technology that prevents unencrypted smartphones and tablet devices from accessing personal information on the hospital’s email servers.  BIDMC must also review its policies and procedures regarding portable device security and train employees on how to handle personal and protected health information.  

© Copyright 2014 Steptoe & Johnson LLP. Steptoe & Johnson LLP 

How to avoid a similar risk at your organisation?

i) establish your current position against the applicable legislation

ii) determine realistic goals to achieve the recommended position in terms of data protection

iii) Implement appropriate deliverable, including but not limited to a Data Protection Policy, IT Security Policy, Mobile Device policy and BYOD policy

iv) Implement standard training and audit procedures at your oganisation.

Big win for fibre in South Africa

http://mybroadband.co.za/news/telecoms/111056-big-win-for-fibre-in-south-africa.html

Document Management Systems (#DMS) solutions - audit

Paper documents take up space, they are difficult to store and waste time when people have to handle them. Businesses are further faced with more and more electronic communications via #email, #fax2email and social media communications, and all of this needs to be managed effectively.

There is currently a big drive to use technology to manage documents, records and information better, however not all technology solutions comply with the Protection of Information Act (#POPI) and Consumer Protection Act (#CPA) and other Records Management legislation

Before selecting a #DMS solution for your business, contact us to assist you in the evaluation of the solution and to confirm whether it, or the proposed information process adhere to POPI, CPA and other relevant Records Management legislation.

Adobe Breach Victims Have Standing To Sue Based On Risk Of Future Harm

The U.S. District Court for the Northern District of California has ruled in In Re Adobe Systems, Inc. Privacy Litigation that customers affected by Adobe’s 2013 data breach have standing to sue based on the increased risk of future harm caused by hackers who gained unauthorized access to their personal information.  The decision is in some tension with other court rulings that have interpreted the Supreme Court’s ruling in Clapper vs. Amnesty International USA as foreclosing standing where the plaintiffs’ claims were based on the risk of future harm.  But the opinion is well reasoned, and may help plaintiffs establish standing in other breach suits.

© Copyright 2014 Steptoe & Johnson LLP. Steptoe & Johnson LLP 

Guidelines: Application development

If you are an App developer and/or owner,take note that the use of the word "free" will be, in terms of android apps (as per comments from Google), be phased out where there are app games that contain in-app purchase. We still await what Apple will do.  The Google changes will be implemented during September 2014.

European Court of Justice rules that internet browsing is not copyright infringement

The ECJ confirmed that the simple browsing of copyright material on a website will not infringe copyright and is the prior authorisation from the copyright owner not required, although reproduction takes place on the end user computer screen and in the internet cache of the computer's hard drive.

The Court ruled that on-screen and cached copies, made by an end-user in the course of viewing a website, satisfied the conditions in Article 5(1) of the Copyright Directive (2001/29/EC) that those copies must be temporary, transient or incidental in nature, and must constitute an integral and essential part of a technological process, as well as various conditions laid down in Article 5(5) of the of the Copyright Directive (2001/29/EC), and that they could therefore be made without the authorisation of the copyright holders.

Take note: browsing of copyright protected material is not the same as actually copying same and placing it somewhere else, whether for subsequent use or not.

The Court case: Public Relations Consultants Association v Newspaper Licensing Agency and others, Case C-360/13, 5 June 2014.

Google in quandary over upholding EU ruling

Google and other Internet companies find themselves in a quandary over how to strike a balance between privacy and freedom of information as the top world search engine took a first step towards upholding an EU privacy ruling.

Google moved overnight to put up an online form that will allow European citizens to request that links to obsolete information be taken down – its first response to the ruling by Europe's top court on "the right to be forgotten".

The ruling on 13 May upheld a 1995 European law ondata protection and ordered Google to remove links to a 1998 newspaper article about the repossession of a Spanish man's home.

After putting up the online form in the early hours of Friday, Google received 12 000 requests across Europe, sometimes averaging 20 per minute, by late in the day, the company said.That puts Google and other Internet companies in the position of having to interpret the court's broad criteria for information that is "inadequate, irrelevant or no longer relevant" as well as developing criteria for distinguishing public figures from private individuals.

"The court's ruling requires Google to make difficult judgements about an individual's right to be forgotten and the public's right to know," a Google spokesman said.

Digital rights campaigners say the EU authorities need to agree on a common approach to guide the search engine companies.Next week representatives from the EU's 28 data protection authorities are due to discuss the implications of the ruling at a two-day meeting.

"Companies should not be tasked with balancing fundamental rights or making decisions on the appropriateness, lawfulness, or relevance of information they did not publish," said Raegan MacDonald, European policy manager at Access, a digital rights organisation.

By Reuters
Brussels, 2 Jun 2014

Definitely a discussion to follow in terms of privacy vs. freedom of information.  What are your thoughts on this?

US: Protection of Personal Information

HHS Announces Record HIPAA Settlement

New York-Presbyterian Hospital (NYP) and Columbia University have agreed to pay a combined $4.8 million – the largest HIPAA settlement ever involving a single incident – to settle charges that they violated the HIPAA Privacy and Security Rules by accidentally making the electronic protected health information of their patients accessible to Internet search engines.  The Department of Health and Human Services’ Office for Civil Rights (OCR) launched its investigations after the entities – which operate a shared data network and firewall – notified it of the breach.  As part of the settlement, NYP will pay $3.3 million, and Columbia will pay $1.5 million. The entities also agreed to undertake risk analyses, develop risk management plans, revise their existing policies and procedures, and provide training on privacy and security awareness. 

(c) Steptoe & Johnson LLP