March 2016

Norton Rose Fulbright is pleased to announce that Anna Gamvros, a leading lawyer in outsourcing, privacy and data protection, has joined as partner in Hong Kong.

Gamvros has more than 14 years’ experience working as a technology and privacy lawyer

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “AP”) announced on March 8, 2016, that two companies agreed to stop processing employees’ personal health data after the AP initiated an investigation into the employers’ practices. The two companies provided their employees with wearable devices (or “wearables”), which allowed the companies to track their employees’ physical activity and sleep patterns. In addition to the two investigations, the AP issued guidance to employers emphasizing that employers are prohibited from engaging in these practice.

The FCC announced last week that it reached a settlement with Verizon Wireless (“Verizon”) over its use of “supercookies.” More specifically, the FCC alleged that Verizon inserted unique identifiers into the headers of its customers’ HTTP requests to support its targeted advertising programs, and that customers had not consented to this practice. In this post, we analyze the settlement and some of its unique features.

The Federal Trade Commission (FTC) has ordered nine companies to file Special Reports detailing how they assess their clients’ compliance with Payment Card Industry Data Security Standards (PCI DSS). Payment card issuing companies require businesses that process over one million card transactions per year to undergo PCI DSS compliance assessments, or audits, performed by PCI Qualified Security Assessors (QSAs), to ensure that the businesses comply with PCI DSS and are adequately protecting their customers’ sensitive personal information. The Order includes a laundry list of requests related to the targeted companies’ PCI DSS assessment process, from the bidding for and staffing of compliance assessments, to the number and percentage of clients that are ultimately determined to be PCI DSS compliant or non-compliant. 

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) released a Consent Order entered between it and Dwolla, a company providing an online money transfer and payment processing platform to consumers.  The Consent Order alleges that Dwolla made false representations concerning its data security practices and engaged in deceptive acts and practices in connection with the offering of consumer financial products or services, in violation of the Consumer Financial Protection Act of 2010 (“CFPA”) sections 12 U.S.C. 5531(a) and 5536(a)(1).

This is the CFPB’s first foray into the data security and privacy enforcement space and could foreshadow additional similar enforcement activity.  Interestingly, it appears that this investigation and Consent Order was not triggered by a security breach suffered by Dwolla.  Although the CFPB’s approach and enforcement rationale is reminiscent of similar actions taken by the FTC, the Consent Order is the first of its kind and has its own quirks.  In this post we take a deeper look at the CFPB’s action and the Dwolla Consent Order.

Dubai has issued a new law regulating the dissemination and exchange of data in the Emirate. This is one of the first open data initiatives in the Middle East and is being promoted by the Prime Minister’s office as a significant step forward in Dubai’s cyber legislation and smart city ambitions.