Privacy Bulletin: Issue No. 28

Womble Carlyle's "Privacy Bulletin" highlights select developments that might be of interest to entities that collect or use personally identifiable information. Protecting a person’s privacy is a challenge to businesses, universities, and all other entities that collect personal information, particularly given the proliferation of personally identifiable information contained in consumer and employee records. Womble Carlyle issues its Privacy Bulletin twice a month.

In the News
Governor Schwarzenegger Vetoes Update to Privacy Law: On October 11, 2009, California Governor Arnold Schwarzenegger vetoed Senate Bill 20, introduced by State Senator Joe Simitian’s (D-Palo Alto). The bill would have updated and strengthened California’s existing privacy protection law, which already contains rigorous breach notification requirements, to provide victims of data breach with specific information about the incident. The Governor cited the extra measures as “unnecessary” because they do not provide any additional consumer benefits.

NebuAd Case Dismissed: On October 12, 2009, Judge Thelton Henderson of the United States District Court for the Northern District of California dismissed a lawsuit filed against six Internet Service Providers who had previously worked with NebuAd, a now-defunct behavioral targeting platform. While the suit was dismissed for improper venue, Judge Henderson rejected defendants' claim that they did not engage in any wrongdoing because they merely allowed the software to be installed. It is likely that the plaintiffs, web users, will refile their claim in another jurisdiction.

FTC Settles Six Separate Complaints for Safe Harbor Violations: On October 5, 2009, the Federal Trade Commission (FTC) announced it has proposed settlement agreements with six companies who deceptively claimed they were abiding with the U.S. Safe Harbor, a privacy framework that permits U.S. companies to transfer data from the European Union to the U.S. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The settlements demonstrate a renewed enforcement effort by the FTC regarding Safe Harbor compliance.

DHS Releases Privacy Report: In late September, the Department of Homeland Security (DHS) released a report that takes a "detailed and comprehensive look" at the activities of the DHS privacy office between July 2008 and June 2009. DHS has published an annual privacy report since 2003 to chronicle how its activities impact privacy. The report is supposed to help Congress measure whether the agency is meeting constitutional requirements for privacy and civil liberties.

Accounting Groups Update Generally Accepted Privacy Principles: On October 5, 2009, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) published an updated version of their Generally Accepted Privacy Principles (GAPP). The principles provide criteria and informational material for protecting the privacy of personal information by certified public accountants (CPAs). The principles focus on: Management, Notice, Choice and Consent, Collection, Use, Retention, Disposal, Access, Disclosure to Third Parties, Security for Privacy, Quality, Monitoring, and Enforcement.

Privacy and Data Protection Team

The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.