Tag Archives: Regulatory Enforcement

Australia Adopts New Data Breach Notification Legislation

Written by
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act. Who is Subject to the New Legislation? The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more

WP29’s Guidance on the Lead Supervisory Authority

Written by
Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation (GDPR).  This is part three of a three-part Alston & Bird series evaluating WP29's positions, and relates to  the “One Stop Shop” mechanism which aims at simplifying the way companies with operations in multiple EU countries interact with the EU supervisory authorities (“SAs”). Part 1 deals with Data Protection Officer Obligations, under the GDPR, while part 2 analyzes guidance on the Right to Data Portability. The [...] Read more

FCC Proposes New Privacy Rules for Internet Service Providers

Written by
On March 10, 2016, the Federal Communications Commission (“FCC”) proposed new privacy and data security rules for Internet service providers (“ISPs”) that, if passed, would regulate how ISPs collect, use, share, and protect customers’ data. The notice of proposed rulemaking (“NPRM”) that FCC Chairman Tom Wheeler circulated for consideration by the full Commission is previewed in a three-page fact sheet that sets forth the proposed rules, which are built on the three core principles of choice, transparency, and security. In order to “provide the tools consumers need to make smart [...] Read more

Working Paper on Internet Service Providers and Privacy Released

Written by
On February 29, The Institute for Information Security and Privacy released a Working Paper titled, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.”  Peter Swire, Senior Counsel at Alston & Bird and Professor at the Georgia Institute of Technology Scheller College of Business authored the paper, along with Alana Kirkland, an associate in Alston’s Technology and Privacy Group and Justin Hemmings, a policy analyst at Alston & Bird and a research associate at the Georgia Institute of Technology Scheller College of Business. Broadband [...] Read more

Article 29 Working Party announces its 2016 Action Plan for GDPR Preparedness

Written by , and
During a press conference held on February 3, 2016, the President of the Article 29 Working Party (“Working Party”) discussed the Working Party’s 2016 action plan concerning the new General Data Protection Regulation (“GDPR”). The action plan lays out the groundwork required to prepare the DPAs for their new role under the GDPR and to ensure a smooth transition as the Working Party, established under the Data Protection Directive, is superseded by the European Data Protection Board (“EDPB”). The EDPB will be tasked mainly with ensuring a coordinated and consistent application of the [...] Read more

FTC Updates IdentityTheft.gov Website

Written by
The Federal Trade Commission (FTC) has announced updates to the IdentityTheft.gov website aimed at making the site more useful to victims of identity theft. The changes will enable consumers to quickly file complaints and develop a personalized recovery plan after answering a number of questions on the site. “Our hope is that this is going to make it much easier for consumers to start on their road to recovery,” FTC Chairwoman Edith Ramirez said during a news conference revealing the changes. “Having one easy set of steps to understand what [the recovery process] entails and getting a [...] Read more

FTC’s Ability to Regulate Data Security Potentially Limited in FTC v. LabMD

Written by and
A November 13, 2015 decision from the Federal Trade Commission’s Chief Administrative Law Judge, D. Michael Chappell, calls into question FTC enforcement in the data privacy space.  The case began when the FTC filed a complaint on August 28, 2013 after an employee of LabMD, a cancer detection laboratory, downloaded peer-to-peer (“P2P”) software that exposed patient information on the file sharing network (also known as “1718 File”). An online security firm named Tiversa found this file on a peer-to-peer file-sharing network in 2008 and used it to solicit work protecting LabMD’s data. The [...] Read more

A Busy Month for German Data Protection

Written by
The European Court of Justice handed down its Schrems decision invalidating the Safe Harbor mechanism on October 6, 2015.  Since then, companies have been looking to the Data Protection Authorities (DPAs) of EU member states to see how the decision would be interpreted and enforced. As many companies know, Germany is a multifaceted data-protection landscape.  Germany maintains seventeen (17) independent DPAs.  Sixteen of these DPAs are run by the German states (or Länder), and these state-run DPAs are primarily responsible for overseeing private companies.  The remaining DPA is run by Germany’s [...] Read more

Peter Swire Quoted In International Business Times on “Peeple” App Privacy Concerns

Written by
Peter Swire, senior counsel in Alston & Bird’s Privacy & Data Security Group and Georgia Institute of Technology Scheller College of Business professor was quoted in International Business Times regarding privacy compliance concerns for the soon-to-be rating app “Peeple.” The app, nicknamed “Yelp for Humans” by the media, will allegedly allow users to review other people without having to obtain permission to create a profile on their behalf. In addition, the user will be asked to enter a cell phone number for the person for whom they are creating a profile. There are multiple [...] Read more

Third Circuit Affirms FTC’s Authority to Regulate Data Security

Written by
On August 24, 2015, the Third Circuit affirmed U.S. District Court Judge Esther Salas’ April 2014 ruling in FTC v. Wyndham Worldwide Corp., et al. (“Wyndham”) that the FTC has the authority to regulate private companies’ cybersecurity practices under Section 5 of the FTC Act. (Prior blog posts on this case can be found here and here).  In this highly anticipated precedential opinion, the Court decided that Wyndham’s cybersecurity practices as alleged by the FTC fit the definition of “unfair” when compared with its stated security policies.  In doing so, the Court rejected Wyndham’s [...] Read more