Top Monthly Privacy and Data Protection Stories

by Monique Altheim on February 23, 2014








Data Breaches



Data Brokers/FCRA



Data Security


  • The White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs.
  • Senate Democrats Introduce the Data Security and Breach Notification Act of 2014. The bill would require the Federal Trade Commission (FTC) to promulgate federal data security standards, establish federal data breach notification requirements, criminalize concealing breaches of security involving personal information, provide potentially harsh civil penalties, and preempt state data security and breach notification laws. 





EU Data Protection


  • Facebook must comply with German data protection law, the Higher Court of Berlin rules. The High Court of Berlin finds that Facebook’s data processing is handled by US parent company, not FB Ireland. If the court had found that the user data was processed by Facebook Ireland and not by Facebook US, the Irish Data Protection law would have applied; According to the EU Directive, the law of the EU Member State applies, where the company has an establishment and where the processing is carried out in the context of the activities of the establishment.(EU Directive 95/46/EC, Art.4,1(a)); In the absence of this condition (as was the case here, since the court decided that no processing was occurring in Ireland, but instead the processing happened through data centers in the US), the second rule of applicable law applies: the Member State on whose resident’s computers or other devices the data controller (FB here) sets cookies EU Directive 95/46/EC, Art.4,1(c)), in this case Germany;







EU Data Protection Reform




EU-US Safe Harbor






















Q: Is a mental healthcare provider allowed to share psychotherapy notes with anyone?

A: NO, not even with another healthcare provider for treatment purposes, unless patient gives consent. As for sharing the notes with the patient, HIPAA leaves it to the discretion of the mental healthcare provider.

Q: What if patient threatens to blow up a school?

A: Yes, this is an imminent safety threat. Depending on the applicable State Law, there may even be a “duty to warn”.

Remember that in a State with stricter laws, the stricter State law prevails.





IoT (Internet of Things)













Technology and Lifestyles, New Developments in


  • Dropbox’s new Privacy Policy, effective March 24, includes a Government Surveillance “Manifesto”. Its new Terms of Service include an arbitration clause, which you have 30 days to opt out of.
  • Dutch telecom operator KPN has struck a deal with encrypted communications provider Silent Circle to start offering its Dutch, German and Belgian customers encrypted phone calls and text messages.


  •  Apple promises fix “very soon” for Macs with failed encryption.


  • Cryptolocker scrambles US law firm’s entire cache of legal files.



  • Facebook Unveils New Tool to Read Posts and News, via @nytimes






Comments are closed.