Friday, February 19, 2010

EU Revises Model Contract Clauses for Data Transfers

The EU Data Protection Directive restricts transfers of personal data of EU residents to non-EU countries. A common approach for complying with this obligation is for the EU data transferor and the transferee abroad to adopt model contract clauses approved by the European Commission. The European Commission earlier this month adopted a decision approving a new set of model contract clauses for the transfer of personal data from a data controller to a foreign processor (controller-to-controller clauses were previously approved). The new clauses permit the foreign processor to re-transfer data to a sub-processor (the previous version did not permit this), and delete an arbitration provision from the previous version that had never been applied in practice.

© Copyright 2010 Steptoe & Johnson LLP

Friday, February 12, 2010

European Commission urges social-networking service providers to improve child safety policies

The European Commission is urging social-networking service providers to improve their child safety policies. In February 2009, 17 social-networking service providers such as Bebo, Facebook, Google and Microsoft signed an agreement on "Safer Social Networking Principles for the EU" (see Legal update, Social-networking service providers sign agreement on child online safety). The Commission has published a report, in which it says that most of these companies had empowered minors to tackle online risks by making it easier to change privacy settings, block users or delete unwanted comments and content. However, Viviane Reding, Commissioner for Information Society and Media, said more needed to be done. Less than half of social-networking providers made profiles of under-18 users visible only to their friends by default and only one third replied to user reports asking for help. Source: European Commission press release, 9 February 2010.

Court Muddies the Water on Electronic Signatures in New York

In Prudential Ins. Co. v. Dukoff, et al., a federal district court in New York has left unclear whether state regulators can add requirements for electronic signatures that go beyond those defined in the state’s electronic signatures law. While the court suggested that the state insurance department’s requirements were inconsistent with the statute, it nonetheless deferred to the department’s opinion that an electronic signature on an insurance application is valid only if the insurer can verify the identity of the person signing the application.

© Copyright 2010 Steptoe & Johnson LLP

Is the UK Moving Toward A De Facto Data Breach Notification Requirement?

The UK's Information Commissioner's Office recently warned companies that they could face tougher sanctions if they don't report data security breaches to the ICO. Although notification is not strictly required by the ICO, a recent statement by the ICO suggests that the agency may be seeking to establish a de facto notification requirement for serious data breaches. This warning is yet another sign that more countries, particularly in Europe, are moving toward expressly requiring notification of government agencies and/or affected individuals in the event of a data breach.

© Copyright 2010 Steptoe & Johnson LLP