Text Messaging
Subscribe to Text Messaging's Posts

Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business

Changes Impacting Businesses that Process Personal Data in Russia

On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.”  The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia.  At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market.  This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres.  Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015.  The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals.  If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.

Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad.  However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question.  There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad.  If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.  

The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws.  Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia.  However, the DPA can initiate the procedure to block access only if there is a respective court judgment.  Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements.  For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting [...]

Continue Reading




read more

In with the New, Part III: 2014 Privacy, Advertising and Digital Media Predictions

Boston-based litigation partner Matt Turnell shares his predictions about class action litigation under the Telephone Consumer Protection Act (TCPA) and Electronic Communications Privacy Act (ECPA) in 2014 and Boston-based white-collar criminal defense and government investigations partner David Gacioch shares his predictions about government responses to data breaches.

Class Action Litigation Predictions

2014 is already shaping up to be an explosive year for privacy- and data-security-related class actions.  Last December’s data breach at Target has already led to more than 70 putative class actions being filed against the retailer.  With recently disclosed data breaches at Neiman Marcus and Michaels Stores—and possibly more to come at other major retailers—court dockets will be flooded with these suits this year.  And consumers are not the only ones filing class actions; banks that have incurred extra costs as a result of the data breaches are headed to court as well, with at least two putative class actions on behalf of banks filed so far against Target.

That volume of litigation related to the Target data breaches likely will be matched by a steady stream of class actions filed under the TCPA.  2013 was a busy year for the TCPA docket and I expect that the Federal Communications Commission’s (FCC) stricter rules requiring express prior written consent from the called party, which took effect in October 2013, means that 2014 will be just as busy since the majority of TCPA class actions seek statutory damages for companies’ failure to obtain consent before making autodialed or prerecorded voice calls or sending unsolicited text messages or faxes. 

In 2014, I expect to see key decisions under the ECPA related to social media platforms and email providers capturing and using content from customers’ emails and other messages for targeted advertising or other purposes.  One district court has already denied a motion to dismiss an ECPA claim challenging this conduct and I predict that other decisions are forthcoming this year.  Needless to say, decisions in favor of class-action plaintiffs in this area could have major implications for how social media sites and email providers do business.

Matt Turnell, Partner

Government Responses to Data Breaches

As significant data breaches continue to dominate the news, public awareness of data privacy and security issues will increase, as will their political appeal.  I expect to see in 2014:

  • Record numbers of breach reports to state and federal regulators, as awareness of reporting obligations spreads further and further across data owner, licensee, broker and transmitter groups;
  • More states committing more enforcement resources to data privacy and security, including budget dollars and dedicated attorney general’s office units;
  • More state/federal and multi-state coordination of investigations, leading to increased settlement leverage by enforcement authorities vis-à-vis firms under investigation; and
  • Greater numbers and dollar values of settlements by the Federal Trade Commission (FTC) and state attorneys general than ever before.

Similarly, with the HIPAA Omnibus Final Rule going into effect on September 23, 2013, coupled with the late-2013 Department of Health and Human Services [...]

Continue Reading




read more

Data Privacy Day 2014

In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet.  Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection.  You may download the presentation slides here.

We hope you find our presentation materials informative.   Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.




read more

Privacy and Data Protection: 2013 Year in Review

Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.

Read the full report here.




read more

Consumer Data Privacy Update for Marketers, Part 2: New Telemarketing/Text Message Marketing Rules Effective October 16, 2013

The Federal Communications Commission (FCC)’s Report and Order 12-21 (Order 12-21), issued in February 2012, describes revised telemarketing rules that became effective during the past 12 months.

The FCC’s telemarketing rules are issued under the Telephone Consumer Protection Act (TCPA) and apply to a telephone call to a residential landline or wireless number or a text message that is initiated for advertising or telemarketing purposes and uses an “automatic telephone dialer system” (ATDS) or an “artificial or prerecorded” voice message.

The three major changes implemented during the past year are:

(i) Abandoned calls rule effective November 16, 2012: Telemarketers must ensure that no more than three percent of calls answered by a person are “abandoned” (i.e., not answered by the telemarketer within two (2) seconds after the called person answers) during a 30-day calling campaign period;

(ii) Opt-out mechanism effective January 14, 2013: Artificial or prerecorded telemarketing messages must include an automated, interactive mechanism that enables the called person to opt out of receiving future prerecorded messages; and

(iii) Prior express written consent rule effective October 16, 2013: “Prior express written consent” (as described below) of the called person is required[i] for:

  • telemarketing calls to a wireless telephone number when an artificial or prerecorded message or ATDS is used;
  • telemarketing text messages sent using an ATDS; or
  • telemarketing calls to a residential landline telephone number using an artificial or prerecorded message.

“Prior express written consent” means a written agreement signed by the called person that clearly authorizes delivery of advertising or telemarketing messages using an ATDS or an artificial or prerecorded voice message and clearly states that agreeing is not a condition of buying any product or service.  A written agreement may be “signed” electronically using any method recognized under the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act) or applicable state contract law.  The E-SIGN Act recognizes a signature as an “electronic sound, symbol or process” that is “attached or logically associated with” an agreement and “adopted by a person with the intent to sign.”

Although industry standards have required express opt-in consent for recurring text messaging programs prior to implementation of the FCC’s prior express written consent rule, consent obtained under the old regulatory framework is not sufficient under the new FCC consent rule because (among other requirements) the “agreement” to which the consumer consents (i) must include reference to use of automated technology and (ii) “must be obtained without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.”

Action Step for Marketers: Obtain New Opt-in Consent for Telemarketing and Mobile Marketing

Obtaining new opt-in consent consistent with the requirements of the new FCC consent rule is best practice because the sender bears the burden of proving that it has obtained prior express written consent that meets the FCC standards.  Relatedly, implementation of a record-keeping system through which evidence of compliant consent is retained for at least three years (i.e., the statute [...]

Continue Reading




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law