Security, Privacy and Information Governance

Category: Privacy

Page 2 of 11

Singapore Joins APEC Cross-Border Privacy Rules System and Privacy Recognition for Processors Program


Singapore recently became the latest country to join the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) System.  Singapore is the CBPR’s sixth participant, joining the United States, Mexico, Japan, Canada, and the Republic of Korea.  Singapore also became the second country to join APEC’s new Privacy Recognition for Processors (“PRP”) program, joining only the United States.

As a member of APEC’s CBPR, Singapore’s personal data protection regime has been deemed to be in alignment with the CBPR’s focus on facilitating data flows between economies and preventing accidental disclosure and misuse of personal data vis-à-vis online transactions.  Remarking on this move, Singapore’s Personal Data Protection Commissioner Tan Kiat How stated, “[t]he seamless exchange of personal data will enable certified Singapore business to plug into even more regional and global business opportunities.  Meanwhile, our consumers will enjoy greater peace of mind when they shop or use vital services online.”

Endorsed by APEC Leaders in 2011, the CBPR is a voluntary, accountability-based system that implements the APEC Privacy Framework (the “Framework”) by reducing barriers to information flows, enhancing consumer privacy, and promoting interoperability across regional data privacy regimes.  Created in 2004, the Framework was developed to facilitate the flow of information between the 21 APEC member economies and their trading partners, by promoting a common set of data privacy principles designed to strengthen consumer privacy protections, encourage digital commerce, and facilitate trade and economic growth.  Both the CBPR and the Framework apply only to personal information controllers, whereas the PRP program focuses exclusively on personal information processors.  Finalized in 2016, the PRP program was designed to certify privacy compliance for personal information processors within the Asia-Pacific region by offering a Trustmark certification to processors that demonstrate their capacity to assist data controllers in complying with relevant privacy obligations.  The PRP program was created in order  that (1) data controllers are able to identify qualified data processors to implement data controllers’ data processing obligations, (2) data processors are able to demonstrate their ability to provide effective implementation of a controller’s privacy requirements, and (3) small and medium-sized institutions are able to gain exposure and visibility into a global data processing network.  Collectively, the CBPR, Framework, and PRP make up the three legs of APEC’s current data protection construct.

APEC is one of the leading Asia-Pacific economic forums designed to “support sustainable economic growth and prosperity in the Asia-Pacific region.”  The three pillars of APEC’s agenda focus on trade and investment liberalization, business facilitation, and economic and technical cooperation.  APEC currently has 21 member jurisdictions, including Australia, Brunei Darussalam, Canada, Chile, the People’s Republic of China, Hong Kong, Indonesia, Japan, Republic of Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, The Philippines, Russia, Singapore, Chinese Taipei, Thailand, the United States, and Vietnam.

Learn more about the APEC Privacy Framework.

Learn more about the APEC Cross Border Privacy Rules.

FTC Settlement with PayPal Resolving Allegations That Venmo Made Misrepresentations to Consumers and Violated the Gramm-Leach-Bliley Act


The FTC has entered into a Consent Agreement with PayPal, Inc., settling allegations that PayPal, through its operation of Venmo, had violated Section 5 of the FTC Act and the Gramm-Leach-Bliley Act’s (“GLBA”) Privacy and Safeguards Rules.   PayPal operates Venmo, a payment and social networking application and website that allows consumers to make peer-to-peer payments, which also shares information regarding such payments through a social network feed.  The agreement will be subject to public comment for 30 days.

Continue reading

New Initiative Examines Ethics of Research Using ‘Pervasive’ Data


Data – big or small – has tremendous potential for use (and misuse).  For example, using mobile apps to keep track of one’s own physical activity or caloric intake may empower individuals to improve their health.  Should other parties (e.g., that app’s developer, physician, employer, insurance company, online friends) be able to access the same information, and if so, under what conditions? As another example, expressing one’s own feelings and preferences on a social media platform may strengthen bonds within a professional community or a family group, expedite academic collaborations, and/or improve an individual’s sense of belonging.  However, may those same messages – freely expressed in a public domain – be re-purposed for a study of mental health trends or for marketing strategies; and if so – when/how/by whom, or why/why-not?  Questions like these touch on a host of ethical and legal issues that only recently began to be explored in depth, even as new norms of individual behavior, human interactions, and treatment of data are evolving.     

Continue reading

European Commission Issues GDPR Guidance


The European Commission (EC) recently issued online guidance on the General Data Protection Regulation (GDPR), a sweeping European Union (EU) data protection legislation that will take effect on May 25, 2018.  The guidance is intended to be used as a tool to help businesses as well as the EC, national data protection authorities, EU Member States, and other national administrations prepare for the GDPR.  To date, only 2 EU Member States – Germany and Austria – have adopted the relevant national legislation to be in compliance with GDPR.

Continue reading

Information Injury Workshop Covers Non-Financial Harms Faced By Consumers


The Federal Trade Commission held its Information Injury Workshop in December in Washington D.C. The goal of the workshop was to explore how to characterize and measure information injuries to consumers.

Information injury is the harm that a victim suffers as a result of privacy or data security breach. Financial, health and safety injury are the most common types of alleged injuries that the FTC has seen in privacy and data security in the past few years. Yet, injury that does not cause financial harm can be challenging to quantify.

Continue reading

FDA Approves Software Application That Alerts Providers of Potential Stroke in Patients


On February 13, 2018 FDA approved a software application with clinical-decision support capability, in this case alerting providers of a potential stroke in patients. The system, “Viz.AI Contact,” is developed by a US/Israeli company named Viz.ai, which uses artificial intelligence and machine deep learning for analyzing medical images.  Earlier in January, this system also received a CE Mark from the European authorities.

Stroke is caused by an interrupted blood supply to the brain; for example, due to a blood vessel’s rupture.  Stroke is among leading causes of mortality and long-term disability in the U.S. and other countries.  The Viz.AI Contact system analyzes brain computed tomography (CT) scans, identifies a suspected large vessel blockage, and sends a text notification to the health care specialist.

Continue reading

« Older posts Newer posts »

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy