Weekly Data Privacy Alert – 1 April 2016
OpposeTel Appointed to Protect Against Unwanted Telemarketing Calls
As of 1 June 2016, OpposeTel will replace Pacitel as the appointed service to control the list of data subjects that do not wish to receive telemarketing phone calls. This is almost the final building block of the new regulation to prohibit professionals from direct telemarketing (article L 121-34 of the French Consumer Code). Calling data subjects on the list for telemarketing purposes can result in a fine of €15,000 for individuals and €75,000 for corporations.
Press Release (in French)
Article L 121-34 of the French Consumer Code (in French)
CNIL Fines Google €100,000
The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has issued a €100,000 fine following Google’s refusal to comply with the CNIL’s injunction to extend delisting to all of its search engine domain name extensions.
Positive Views of the General Data Protection Regulation in the German Parliamentary Committee
In a public hearing of the Bundestag committee “Digitale Agenda“, German data protection experts from the state, the industry and academia have taken an overall positive view of the coming General Data Protection Regulation (GDPR).
The Federal Data Protection Officer, Andrea Voßhoff, stated that in spite of her detailed critique the GDPR would ensure a high level of protection. Data-based business models would remain possible, although their legality needed to be assessed in every individual case.
Dagmar Hartge, the Brandenburg Data Protection Officer, complimented the principle of lex loci solutionis (law of the place where relevant performance occurs) contained in the GDPR as it will bind non-European companies to the EU data protection law and foster fair competition.
The representative of the internet industry criticized the GDPR for not creating incentives for the use of pseudonymised data. The representative of academia found that the GDPR was lowering German data protection standards. This could, however, be compensated for by the wide scope that the GDPR leaves for member state implementation.
Press Release (in German)
German Association for Data Protection Heavily Criticizes Privacy Shield
The German Association for Data Protection (Deutsche Vereinigung für Datenschutz – DVD) has expressed immense disappointment with the recently presented material of the EU-US Privacy Shield. According to the DVD, the attempt to get the US Government to conform to the requirements of the European Court of Justice has completely failed. The DVD appealed to the European Parliament and the Article 29 Working Party to reject the intended adequacy decision by the European Commission.
Press Release (PDF) (in German)
Swansea Dubbed “UK’s Cold Call Capital”
The Information Commissioner’s Office (ICO) has dubbed Swansea “UK’s cold call capital” after it fined two further companies in the city. The two companies that were recently fined were Flacon and Point, which made automated calls about PPI, and Direct Choice Home Improvements Ltd, which traumatised people by asking to speak to deceased relatives. In total, the ICO has fined six Swansea based companies since 2013.
Three Separate Class Action Cyber Breach Lawsuits Filed Against 21st Century Oncology
Three weeks ago, 21st Century Oncology announced that medical records of at least 2.2 million current and former patients had been illegally obtained due to a security breach. As a result, last week, three separate class-action lawsuits were filed against 21st Century Oncology. The lawsuits assert the company failed to take adequate security measures in protecting electronic medical records, resulting in a cyber breach exposing them to “substantial financial and other injury and damage.” Plaintiffs are seeking more than US$15 million from 21st Century, accusing the company of multiple violations including negligence, unjust enrichment and breach of implied covenant of good faith and fair dealing. The lawsuit claims the FBI informed 21st Century of the security breach in December 2015, one month after investigators believe the intrusion occurred, but the company did not notify the Security and Exchange Commission until March 4 2016, and current and former patients did not receive letters notifying them the breach until mid-March.
US Office of Management and Budget Annual Cybersecurity Report Notes 77,000 Cyber Incidents Against US Government in 2015
The Office of Management and Budget (OMB) released the annual report mandated by the Federal Information Security Modernization Act (FISMA) of 2014, on March 18, 2016. The report, which evaluates Federal agencies’ information security policies and practices, indicates that during 2015 there were 77,000 cyber incidents aimed at the government, including network breaches or data infiltration – a 10% increase from 2014. The report also notes that most federal agencies lack information security, and that while several initiatives to address the personnel challenge exist, “implementation and awareness of these programs is inconsistent.”
Privacy Laws on the Horizon for Autonomous Vehicles
In mid-March the Senate Commerce Committee held a hearing to learn more about the advancements in autonomous technology and to discuss a cohesive national policy on how companies can use personal data collected by autonomous vehicles. Representatives from Lyft, Google, General Motors, Delphi Automotive, Mary Louise Cummings and the Director of the Humans and Autonomy Laboratory at Duke University testified at the mid-March hearing. Given autonomous vehicles will collect large amounts of personal information about their passengers, lawmakers are concerned about how, if at all, data collection ought to be regulated. Lawmakers are concerned that they stay involved in the regulation of the autonomous vehicles. Senator Bill Nelson (D-FL) expressed this concern noting: “You can imagine what would happen to get an autonomous vehicle hacked out on the road….One small defect could end up with a massive safety crisis. So no more cover-ups, no more head-in-the-sand approaches to safety.”
In January 2016, Secretary of Transportation Anthony Foxx announced he is giving the Department of Transportation six months to draft comprehensive rules governing how autonomous cars should be tested and regulated. Currently several states including California, Nevada, Michigan, Florida and Washington DC have adopted laws regulating the testing and sale of autonomous vehicles.