Blog

Failure to Protect Against SQL Injection Attack Deemed an “Unfair Practice”

Francoise Gilbert

A proposed Federal Trade Commission consent order applicable to Ceridian Corporation, establishes that failure to protect against potential SQL injection attacks is an “unfair practice” actionable under Section 5 of the FTC Act. Despite representations that it maintained “worry-free safety and reliability” and that it had a security program designed in accordance with the ISO 27000 standard, the company’s security system had several flaws. Among other things, Ceridian failed to use readily available defenses to SQL attacks. When a successful SQL attack caused the exposure of sensitive personal information of nearly 28,000 individuals, the FTC initiated an enforcement action.  This action lead to the development of the proposed FTC consent order, which was published on May 3, 2011. (more…)

Read More

More Changes in the EU Data Protection Regime – 2006 Data Retention Directive to be Amended

Francoise Gilbert

The European Commission has announced that it plans to amend the 2006 Data Retention Directive, Directive 2006/24/EC. This Directive states that the national laws of the EU Member States must require providers of publicly available electronic communications services and public communications networks to retain traffic and location data for a period between six months and two years, in order to allow for the investigation, detection and prosecution of serious crime.

According to the Report of the EU Commission, while it is clear that rules on data retention remain necessary as a tool for law enforcement, the protection of victims, and the criminal justice systems, the current regime has many flaws. The report, published in mid April 2011, provides an initial analysis of the problems raised by the current draft of the 2006 Data Retention Directive and explains that the Commission intends to develop a better legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators. (more…)

Read More

Proposed Overhaul of the 2006 Data Retention Directive

Francoise Gilbert

While the Data Protection regime of the European Union is going through a facelift and amendments are expected to be published by 2012, the European Commission has announced that it is embarking onto another major project that focuses on the protection of personal data and privacy rights. This time, the target is the 2006 Data Retention Directive, Directive 2006/24/EC1. In its Evaluation Report on the Data Retention Directive (Directive 2006/24/EC), COM (2011) 225 (Communication 225), published in April 2011, the European Communication has announced its plan intent to revise the 2006 Directive with a view to proposing an improved legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators.
 
Communication 225 analyses how the 2006 Data Retention Directive has been implemented (or not) in the national laws of the Member States, with a view to determining whether the 2006 Directive should be amended, in particular with regard to its data coverage and retention periods. The report points to the lack of uniformity and discrepancies in these implementations, identifies deficiencies, and analyses the impact of the retention requirements on economic operators and consumers. It also evaluates the implications of the Directive on the protection of fundamental rights, in view of the criticisms that have been made with respect to the retention of personal data for national security reasons. The report concludes that the provisions set forth in the 2006 Data Retention Directive need improvement and indicates how the European Commission plans to drive the preparation of an amendment. 

(more…)

Read More

New Draft Privacy Guidance in China

Marissa Xiao Dong 

In April 2011, the Ministry of Industry and Information Technology (MIIT), jointly with the State General Administration of for Quality Supervision and Inspection and Quarantine (AQSIQ), released a draft of “Information Security Technology – Guide of Personal Information Protection (Guidance)” for public comments. The Guidance is a further effort by MIIT to adopt and promote regulations for the protection of personal data after its release of a draft Guidance for Personal Information Protection for public comments in 2010. 

Compared with the previous draft, this new draft is prepared together with AQSIQ, and is prepared as GB/Z, which means China’s “national standard” but not compulsory standard. According to our communication with officials at MIIT, they have not yet decided how to proceed with the formal issuance of such Guidance, whether by MIIT itself as the 2010 draft, or together with AQSIQ as GB/Z as such new draft. Nevertheless, such efforts by MIIT and AQSIQ have revealed that personal data protection has become as more and more important issue in China, and different governmental authorities are attempting to use their separate and joint efforts to facilitate legislation in this area.

A detailed analysis of the proposed guidelines will be published as part of Supplement #6 of the Global Privacy & Security Law treatise.

Read More

Privacy Laws may be a Barrier to the Taking of Evidence Abroad

Francoise Gilbert

Litigation and trials are handled in the United States in a manner that is significantly different from that which prevails in other countries. While broad discovery is available here, the gathering and use of evidence is much more limited abroad. For years, there have been disputes between US litigants and the foreign parties who were requested to produce information and documents for use in US courts.  While the 1970 Hague Convention on the Taking of Evidence in Civil and Commercial Matters has provided rules for the regulated taking of evidence, there are still many barriers to the gathering of evidence from foreign parties.  One of them is the data protection laws of many countries, especially those in the European Union and the European Economic Area.  (more…)

Read More

Server Location: A Significant Factor in Cloud Computing Services

Francoise Gilbert

In a cloud computing environment, data and applications are hosted “in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from “well… hum … in the cloud” to “we have servers everywhere, data moves around constantly” or “we cannot tell you for security reasons.”

As the custodian of confidential and valuable data — personal or company information — you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. (more…)
Read More

How to Conquer Cloud Computing Contracts – Part 2

Francoise Gilbert

Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.

In part 1 of this article we discussed the preliminary planning and due diligence involved with choosing a cloud service provider.

In this part 2, we review critical steps for developing, maintaining and terminating cloud computing contracts. (more…)

Read More

How to Conquer Cloud Computing Contracts – Part 1

Francoise Gilbert

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

(more…)

Read More

CNIL Exempts Foreign Based Companies from Filing Notifications with Respect to Certain Processing

Francoise Gilbert

A “Deliberation” of the CNIL (French Data Protection Authority) published in the February 16, 2011 Official Journal of the Republic of France as “Deliberation No. 2011-023” should ease the burden on companies that have no operations in France, and engage France-based subcontractors (or cloud service providers) in order to process their data on the French territory. This is the case, for example for US based companies that hire French service providers to process their payroll or manage databases of client information, where the concerned individuals (employees or customers) are located outside of France. (more…)

Read More

Israel Data Protection Law Found to Provide “Adequate Protection”

In a decision made public on February 1, 2011, the European Commission has determined that the data protection regime in Israel is adequate under the 1995 EU Data Protection Directive. The adequacy determination applies to only to data in automated databases. The data protection law of Israel Data does not apply to data in manual databases. Thus, for these data, the data protection law of Israel will be deemed adequate only to the extent that data in manual databases are transferred to automated databases in Israel.

The Commission decision is available at (pdf download):
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:027:0039:0042:EN:PDF

Read More