Articles Posted in Cybersecurity and Privacy


Rafi Azim Khan and Steve Farmer recently published an article in World Data Protection Report titled “Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0.”

What exactly is the ‘”best” solution for an international business needing to handle and transfer personal data across borders?

This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.


The end of 2012 saw a flurry of activity in the area of privacy enforcement. In July, Kamala Harris, the Attorney General of California, announced the formation of California’s own state agency, Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit to investigate and enforce the state’s robust privacy laws. By the end of the year, Harris made it clear that she did not intend this new unit to sit on the sidelines. On December 6th, Harris filed a groundbreaking civil suit against Delta Air Lines alleging a violation of the California Online Privacy Protection Act for the company’s failure to include a privacy policy on its “Fly Delta” mobile app. The State of California is seeking up to $2,500 in penalties from Delta for each violation of the California law.

California is not the only government entity that is ramping up its privacy enforcement efforts. The Federal Trade Commission has signaled that it plans to get in on the action as well. On August 9th, the FTC announced a record $22.5 million civil penalty to be paid by Google in order to settle charges that the company made misrepresentations with respect to how it planned to track users’ online activity.

On December 10th, the FTC published a report following up on a year-long investigation in which it found only 20% of mobile apps targeting children properly disclosed how the apps collected and shared personal data. The FTC announced it would be launching multiple investigations to determine whether certain companies have violated the Children’s Online Privacy Protection Act (COPPA), which requires operators of online services (including mobile apps) directed to children under the age of 13 to provide notice and obtain parental consent before collecting personal information from children. The FTC’s record settlement with Google suggests that these investigations could yield serious penalties.


“Everywhere you look, the quantity of information in the world is soaring.”

ICD has predicted that, by 2012, mankind will have created 2.7 zettabytes of data! The numbers are mind boggling – a zettabyte is a 1 billion terabytes. With all of that data comes the Next Big Thing – namely, Big Data.

What is Big Data?


On 16 August 2012, the ICO published guidance on deleting personal data under the Data Protection Act 1998 (DPA). The guidance describes how organisations can ensure compliance with the DPA when they delete or archive personal data, and explains what the ICO means by deletion and archiving and introduces the concept of putting personal data ‘beyond use.’ The guidance aims to counteract the problem of organisations informing people that their personal data has been deleted when, in fact, it is merely archived and could be re-instated; archived information is “subject to the same data protection rules as ‘live’ information, although information that is in effect inert is far less likely to have any unfair or detrimental effect on an individual than live information.”

Given the fifth data protection principle which provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes,” the deletion of personal data is an important activity for organisations which control or process personal data. The ICO notes that, although the DPA does not define “delete” or “deletion”, a plain English interpretation implies “destruction” which, in the case of electronic storage, is less certain than, say, incineration of paper records, since information which has been “deleted” may still exist within an organisation’s systems in some form or other.

The ICO says that it will “adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place.” The ICO gives specific examples of where putting information ‘beyond use’ would be an acceptable alternative to ‘deletion’. For example, an acceptable alternative may arise where for technical reasons, it is not possible to delete this information without also deleting other information held in the same batch, or where information has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether where it is waiting to be over-written with other data. The ICO will be satisfied that information has been ‘put beyond use’ if the “data controller holding it:


When customers sign a contract with a service provider that will be holding the customer’s confidential data (for example, the customer’s business records, human resources data, personally identifiable information, protected health information, payroll data), in addition to laying out the service provider’s responsibility for protecting the data, customers focus on restrictions allowing the customer to audit and confirm over the life of the contact that its data is being stored and maintained securely and appropriately by the service provider.

However, everyone (including service providers) seems to be outsourcing or subcontracting today. Customers must be vigilant about ensuring that their service contracts allow them not only to review, audit and confirm that their service provider is maintaining their data appropriately, but also that the customer can track and audit any customer data held by their service providers’ subcontractors (and those subcontractors’ subcontractors, and so on).

Service providers today frequently partner with subcontractors to provide discrete portions of their suite of services – sometimes those subcontracted services are (arguably) “not material” to the overall scope of the services provided, while sometimes those subcontracted services are mission-critical.


A key finding in the Trustwave 2012 Global Security Report is that in 76% of data breach investigations a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies. This should concern any company that outsources the processing, storage or transmission of personally identifiable information (PII) to suppliers of IT or business process outsourcing services.

With the average cost of a data breach in excess of $5 million and the associated reputational risk, outsourcing customers should review their contracts to ensure they contain appropriate commitments and accountability from the supplier with respect to data security. Below is a brief outline of some of the key provisions that should be part of an outsourcing agreement.

Supplier Commitments: Suppliers should commit to the following:


Starting on 26 May 2012 the UK Information Commissioner’s Office (“ICO”) will begin enforcing sweeping changes to the EU cookie law put in place 12 months ago. By way of reminder, following a change to the EU’s Privacy and Electronic Communications Directive (the “E-Privacy Directive”) back in 2011, the rules on using cookies to track/store information on users are about to change.

Unless an exception applies, the new requirement essentially prohibits the use of cookies absent the consent of the user (unless the cookie is “strictly necessary”). The new rules apply regardless of where the website is based, if European personal data is collected.

In other words, a website operator over which the ICO has jurisdiction, wherever the operator is based in the world, will be unable to argue it was still getting its house in order if the ICO comes knocking.


India’s recent demand for European Union designation as a data secure country (see our blog) has brought the issue into the spotlight. Here we take a closer look at those nations which have achieved EU recognition and the benefits of doing so.

Article 25.1 of the Data Protection Directive (in the UK enacted through the eighth principle of the Data Protection Act, 1998) prohibits the transfer of personal data to a third county (i.e. a country or territory outside the EEA) unless that third country provides an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Several exceptions to this rule are available including, in particular, the use of the approved EC model clauses.

Data transfers to third countries can take place in many circumstances, such as where an EU- based business relocates functions to subsidiaries outside the EEA, establishes an offshore shared service centre which processes, for example, HR or payroll data, where data is transferred for offshore processing as part of an outsourcing agreement with a third party supplier or as part of a hosting or cloud computing deal. The onus is on the data controller to ensure that he complies with the eighth data protection principle in relation to any cross-border data transfer of personal data.


According to a report in the Economic Times of India, the Indian government has demanded that the European Union designate her as a data secure country. The request came in the context of current bilateral free trade agreement negotiations. An Indian government official is reported saying “Recognition as a data secure country is vital for India to ensure meaningful access in cross border supply.” The official goes on the state that “we have made adequate changes in our domestic data protection laws to ensure high security of data that flows in.”

Seasoned India-watchers may disagree. Traditionally India has had no dedicated privacy or data protection laws, with various statutory aspects scattered under a number of enactments, such as India’s cyber law, The Information Technology Act 2000. In 2011, India finally enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 to implement parts of the Information Technology (Amendment) Act 2008. The 2011 Rules cover a subset of personal data (referred to as sensitive personal data, but unhelpfully the meaning of this term differs from that used in the Data Projection Directive) and lay down security practices and procedures that must be followed by organisations dealing with such sensitive personal data.

The 2011 Rules were broad in scope and ambiguously drafted. The impact on the outsourcing sector was unclear and subsequent clarifications had to be rushed through by the Indian government. These clarifications helped somewhat but were still found wanting, with one commentator describing them as “half baked.”

By and

Since the start of the 112th Congress, there has been a heightened focus on cybersecurity. Congress has not passed new cybersecurity related legislation since 2002 when the Federal Information Security Management Act was enacted. In 2011, the Obama Administration announced its cybersecurity proposal, and a number of bills are currently active in both the House and Senate that focus on different aspects of cybersecurity and the mechanisms to protect private infrastructure and networks against cyber threats. One of the major philosophical differences between the various bills is which government entity should be responsible for cybersecurity – the Department of Homeland Security (DHS) or the National Security Agency (NSA). The Administration’s proposal favors DHS over NSA.

The most widely supported proposal is the bipartisan Cybersecurity Act of 2012 sponsored by Sens. Joe Lieberman (I-Conn) and Susan Collins (R-Maine). The hallmark of this Bill is the requirement that companies notify DHS of intrusions into their networks and the creation of mandatory compliance with industry specific cybersecurity standards. Senator John McCain (R-AZ) has a competing bill in the Senate, the Secure IT Act (S.2151), that focuses on self-regulation by the private sector rather than imposing government standards.

In the House, there are three notable active bills: (i) The Secure IT Act (H.R. 4263) , (ii) the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act “PRECISE Act” (H.R. 3674), and (iii) the Cyber Intelligence Sharing and Protection Act of 2011(H.R. 3523). The House Secure IT Act was introduced on March 27, 2012, and mirrors Sen. McCain’s version of the bill. The two other bills set cybersecurity standards for critical private networks and focus on information sharing mechanisms between the government (notably the NSA) and internet service providers so that threatening traffic can be blocked before causing harm.