Data Privacy Archives - Page 12 of 35

Data Privacy

States Begin 2016 with the Expansion of Telehealth Services

by Dale C. Van Demark, Lisa Mazur and Marshall E. Jackson, Jr. | Jan 6, 2016 | Consumer Protection, Data Privacy, General Interest

As we enter into the new year, the health industry continues to see expanded access to telehealth services. After a whirlwind 2015 in which we saw over 200 telehealth-related bills introduced in 42 states, New York and Connecticut emerge as the first states in 2016 to implement laws that expand patients’ access to telehealth services.

Effective January 1, 2016, three new laws will greatly expand telehealth services across the state of New York. The first law, A.2552-A, amends section 2999-cc of the New York Public Health Law regarding coverage of telehealth services by insurers, including Medicaid, and with respect to telehealth-related definitions. As defined in the New York Public Health Law, telehealth is “the use of electronic information and communication technologies by telehealth providers to deliver health care services, which include assessment, diagnosis, consultation, treatment, education, care management and/or self-management of a patient.” Among other things, A.2552-A provides that health care services delivered by means of telehealth will be entitled to reimbursement under New York’s Medicaid program, and private insurers may not exclude from coverage a service that is otherwise covered under a patient’s insurance policy because the service is delivered via telehealth. Under this law, reimbursement for telehealth services is contingent upon services being delivered by a telehealth provider when the patient is located at an approved originating site. The second law, A.7488, amends 2999-cc of the Public Health Law, by adding physical therapist and occupational therapist to the list of telehealth providers that are able to provide telehealth services. Lastly, the third law, A.7369, amends section 2999-cc, by including a dentist office as an “originating site” for the delivery of telehealth services.

Connecticut, like New York, started off 2016 with continued efforts to promote telehealth services. Connecticut’s existing telehealth law, which became effective in October 2015, broadly defines “telehealth” as “the mode of delivering health care or other health services via information and communication technologies to facilitate the diagnosis, consultation and treatment, education, care management and self-management of a patient’s physical and mental health, and includes (A) interaction between the patient at the originating site and the telehealth provider at a distant site, and (B) synchronous interactions, asynchronous store and forward transfers or remote patient monitoring.” Under the new Connecticut law, CT Public Act No. 15-88, effective January 1, 2016, commercial insurers must cover telehealth services in the same manner that they cover in-person visits and telehealth coverage must be subject to the same terms and conditions that apply to all other benefits under a patient’s insurance policy.

As the importance of improving access to care and care coordination and identifying cost savings in the delivery of health care services increases, states should continue to steadily expand efforts to allow health care services via telehealth. While many states have made strides to expand the use of telehealth services, many more have not taken steps to require reimbursement by Medicaid programs or private insurers. At the same time, the multi-state licensure compact developed by [...]

Continue Reading

Safe Harbor Update: European Commission Reaffirms Commitment to a Safe Harbor Sequel

by Amy C. Pimentel | Nov 6, 2015 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

As we reported on October 19th, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data challenged the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program. Today, the European Commission (EC) issued a public statement confirming its commitment to working with the United States on a “renewed and sound framework for transatlantic transfers of personal data.” The apparent trigger for today’s announcement are “concerns” from businesses about “the possibilities for continued data transfers” while the Safe Harbor Sequel is under negotiation.

In its statement, the EC confirms that during the pendency of the U.S.-EU negotiations, Standard Contractual Clauses and Binding Corporate Rules (BCRs) are viable bases for legitimizing data transfers that formerly were validated by the Safe Harbor Program.

The EC was careful to note that today’s guidance “does not lay down any binding rules” and “is without prejudice to the powers and duty of the DPAs (Data Protection Authorities) to examine the lawfulness of such transfers in full independence.” In other words, a DPA still may decide that Standard Contractual Clauses and BCRs are not viable under its country’s laws.

FTC Sees Disconnect on Proposed Connected Cars Legislation

by McDermott Will & Emery | Oct 23, 2015 | Consumer Protection, Data Privacy

The Energy & Commerce Committee of the U.S. House of Representatives held a hearing on October 21st titled “Examining Ways to Improve Vehicle and Roadway Safety” to consider (among other matters) Vehicle Data Privacy legislation for internet-connected cars.

The proposed legislation includes requirements that auto manufacturers:

“Develop and implement” a privacy policy incorporating key elements on the collection, use and sharing of data collected through technology in vehicles. By providing the policy to the National Highway Traffic Safety Administration, a manufacturer earns certain protection against enforcement action under Section 5 of the Federal Trade Commission Act.
Retain data no longer than is determined necessary for “legitimate business purposes.”
Implement “reasonable measures” to ensure that the data is protected against theft/unauthorized access or use (hacking).

Manufacturers that fail to comply face a maximum penalty, per manufacturer, of up to $1 million. The penalty for failure to protect against hacking is up to $100,000 per “unauthorized” access.

Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, of the Federal Trade Commission (FTC), testified that the proposed legislation “could substantially weaken the security and privacy protections that consumers have today.”

The FTC’s criticism focuses on the proposed safe harbor against FTC enforcement for manufacturers. The FTC testified that a manufacturer should not earn immunity under the FTC Act if the privacy policy offers little or no privacy protection, or is not followed or enforced. The FTC expressed disapproval of provisions allowing retroactive application of a privacy policy to data previously collected. The FTC also advised against applying the proposed safe harbor to data outside of the vehicle, such as data collected from a website or mobile app.

Although the FTC applauded the goal of deterring criminal hacking of the auto systems, the FTC testified that the legislation, as drafted, may disincentivize manufacturers’ efforts in safety and privacy improvements. The testimony echoed that of other industry critics who believe that what is considered “authorized” access is too vague, which may prevent manufacturers from allowing others to access vehicle data systems, such as for repair or research on an auto’s critical systems.

Finally, the FTC criticized the provisions creating a council to develop cybersecurity best practices. Since the council could operate by a simple majority, it could act without any government or consumer advocacy input, diluting consumer protections.

The hearing agenda, as well as the text of the draft legislation is available here.

The FTC’s prepared statement, as well as the text of the testimony is available here.

Safe Harbor Update: House Votes to Pass Judicial Redress Act

by Amy C. Pimentel | Oct 22, 2015 | Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

The Judicial Redress Act of 2015 (H.R. 1428) (Judicial Redress Act) is on its way to the U.S. Senate. On October 20th, the U.S. House of Representatives voted in favor of passage.

The Judicial Redress Act extends certain privacy rights under the Privacy Act of 1974 (Privacy Act) to citizens of the EU and other specified countries.

The preamble to the Judicial Redress Act states that:

“The Judicial Redress Act provides citizens of covered foreign countries with the ability to bring suit in Federal district court for certain Privacy Act violations by the Federal Government related to the sharing of law enforcement information between the United States and a covered foreign government. Any such lawsuit is subject to the same terms and conditions that apply to U.S. citizens and lawful permanent residents who seek redress against the Federal Government under the Privacy Act. Under current law, only U.S. citizens and lawful permanent residents may bring claims against the Federal Government pursuant to the Privacy Act despite the fact that many countries provide U.S. citizens with the ability to seek redress in their courts when their privacy rights are violated. Enactment of this legislation is necessary in order to promote and maintain law enforcement cooperation and information sharing between foreign governments and the United States and to complete negotiations of the Data Protection and Privacy Agreement with the European Union.”

The House’s passage of the Judicial Redress Act is expected to help mitigate one of the key criticisms of U.S. privacy protection from EU regulators. As discussed in our blog posts from earlier this month, in the Court of Justice of the European Union (CJEU) decision invalidating the U.S.-EU Safe Harbor Program, the CJEU noted that EU residents lack an “administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.” Once passed by the Senate (as is generally expected), the Judicial Redress Act will provide that means of redress.

Check back for updates on the Senate’s consideration of the Judicial Redress Act and the ongoing EU-US negotiations about a Safe Harbor Sequel.

Safe Harbor Update: Safe Harbor Sequel Coming Soon?

by Amy C. Pimentel | Oct 19, 2015 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

As we wrote on October 6, 2015, the Court of Justice of the European Union (CJEU) announced its invalidation of the U.S.-EU Safe Harbor program as a legally valid pathway for transferring personal data of European Union (EU) residents from the EU to the United States. An avalanche of reports, analyses and predictions followed the CJEU announcement because so many U.S. businesses operating in the EU relied on the validity of the Safe Harbor program.

As we expected, the CJEU decision was not the final chapter. On October 16, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the Working Party, an independent advisory board to data protection authorities in EU members states) called on the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program.

Echoing the CJEU’s concern about “massive and indiscriminate surveillance” by the U.S. government, the Working Party challenged the United States and EU to produce by 31 January 2016, a new data transfer framework with “stronger guarantees” of EU residents’ “fundamental rights” to data privacy, as well as “redress mechanisms” for violations.

In the meantime, the Working Party affirmed that data transfers formerly validated by the Safe Harbor program are not legal. It also noted its intent to evaluate the validity of the two other key data EU-U.S. transfer pathways: Binding Corporate Rules (BCRs) and Standard Contractual Clauses.

What This Means for U.S. Businesses

While waiting for news of Safe Harbor: The Sequel, our Privacy and Data Protection Group continues to advise a business that relied on the Safe Harbor program to:

Classify the data transferred from the EU to the United States (employee, consumer, business contacts, etc.).
Determine which of the data transfers from the EU to the United States were formerly validated by Safe Harbor.
Identify vendors that transfer EU personal data for the business and determine how those vendors validate their transfers (e.g., Did a vendor represent that it could make legitimate transfers via Safe Harbor, and, if so, what happens now?).
Decide how best to address EU to U.S. personal data transfers under one of the other data transfer pathways based on data classification (e.g., Binding Corporate Rules for intra-company transfers; Standard Contractual Clauses for transfers to third parties that do not otherwise meet EU requirements; or consent of each EU data subject—an impractical option for high-volume transfers).

Stay tuned for more on Safe Harbor: The Sequel and guidance for businesses.

Employee consent to use of personal data reliable under German law

by Maximilian Baur and Paul Melot de Beauregard | Oct 15, 2015 | Advertising & Marketing, Consumer Protection, Data Privacy

The German Federal Labor Court (Bundesarbeitsgericht (BAG)) has published the reasons for its two decisions about whether an employee can revoke consent given to his or her employer for public use of the employee’s image in photos, videos or other marketing materials (BAG 19 February 2015, 8 AZR 1011/13; BAG 11 December 2014 – 8 AZR 1010/13). The BAG held that (1) an employer can rely on an employee’s voluntary consent under German data privacy laws and (2) an employee must take into account the employer’s interests when justifying his or her revocation of a valid consent. The BAG’s decisions are notable because they are contrary to the widely-held opinion that employee consent given in the context of the employment relationship is not completely voluntary.

German data privacy and copyright laws require an employer to obtain an employee’s consent to use the employee’s image in photos or videos developed for marketing or similar purposes. The consent must be voluntarily given and not tied to the employee’s employment status. Before the BAG’s decisions, some German data privacy law commentators argued that an employee’s consent is not always freely given because of the employee’s subordinate status in the employment relationship.

Now, under the BAG’s decisions, the existence of the employer-employee relationship does not cause an employee’s individual consent to be per se ineffective. The BAG determined that employees can freely choose whether to consent or not. If an employee believes that he or she is subject to discrimination for withholding consent, remedies are available under other German laws. The BAG emphasised that the consent must be in writing and include certain information to be valid and that whether the consent is subsequently revocable depends on the facts and circumstances.

Key Takeaway:

An employer should obtain individual written consent from an employee to use the employee’s image or likeness in marketing materials. To help prevent future revocation, the written consent must state (among other specific requirements) that the employer’s rights survive termination of the employment relationship.

California Joins Other States with the Passage of CalECPA

by Amy C. Pimentel | Oct 13, 2015 | Data Privacy

Law enforcement requests for electronic information, particularly from technology companies such as Google and Twitter, have skyrocketed in recent years. In response, several states—Maine and Texas in 2013, Utah in 2014 and Virginia earlier in 2015—passed laws that limit law enforcement searches of electronic data. On October 9, 2015, California joined these states by passing the California Electronic Communications Privacy Act (CalECPA), which is intended to protect California residents from unauthorized invasion of their digital privacy.

CalECPA applies to “electronic information,” which includes both “electronic communication information” and “electronic device information”:

Electronic communication information means “any information about an electronic communication or the use of an electronic communication service including … any information pertaining to any individual or device participating in the communication.”
Electronic device information means “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.”

CalECPA generally requires a warrant before any business turns over any individual’s electronic information. Specifically, CalECPA prohibits any government entity that does not have a valid warrant or court order:

Compelling an electronic communication service provider to produce or access electronic communication information;
Compelling any person or entity other than the authorized possessor of the device to produce or access electronic device information; or
Accessing electronic device information by physical interaction or electronic communication with the electronic device.

In addition, CalECPA requires:

A government entity to notify the target of an investigation about the electronic information covered by the search warrant; and
A “service provider” to verify the authenticity of electronic information that it produces pursuant to a warrant or government request.

CalECPA also permits a service provider to voluntarily disclose electronic communication information when disclosure is not otherwise prohibited by law.

Why CalECPA matters? CalECPA extends privacy rights to electronic data in a way that federal law has not: it bars any state law enforcement or investigative entity from compelling a business to turn over any metadata or digital communication—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to search or track the location of a business’ electronic devices like mobile phones. Also, no business (or its officers, employees and agents) may be subject to any cause of action for providing information or assistance pursuant to a warrant or court order under CalECPA.

Court of Justice of the European Union Says Safe Harbor Is No Longer Safe

by Amy C. Pimentel | Oct 6, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Social Media

Earlier today, the Court of Justice of the European Union (CJEU) announced its determination that the U.S.-EU Safe Harbor program is no longer a “safe” (i.e., legally valid) means for transferring personal data of EU residents from the European Union to the United States.

The CJEU determined that the European Commission’s 2000 decision (Safe Harbor Decision) validating the Safe Harbor program did not and “cannot eliminate or even reduce the powers” available to the data protection authority (DPA) of each EU member country. Specifically, the CJEU opinion states that a DPA can determine for itself whether the Safe Harbor program provides an “adequate” level of personal data protection (i.e., “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” as required by the EU Data Protection Directive (95/46/EC)).

The CJEU based its decision invalidating that Safe Harbor opinion in part on the determination that the U.S. government conducts “indiscriminate surveillance and interception carried out … on a large scale”.

The plaintiff in the case that gave rise to the CJEU opinion, Maximilian Schrems (see background below), issued his first public statement praising the CJEU for a decision that “clarifies that mass surveillance violates our fundamental rights.”

Schrems also made reference to the need for “reasonable legal redress,” referring to the U.S. Congress’ Judicial Redress Act of 2015. The Judicial Redress Act, which has bi-partisan support, would allow EU residents to bring civil actions in U.S. courts to address “unlawful disclosures of records maintained by an [U.S. government] agency.

Edward Snowden also hit the Twittersphere with “Congratulations, @MaxSchrems. You’ve changed the world for the better.”

Background

Today’s CJEU opinion invalidating the Safe Harbor program follows on the September 23, 2015, opinion from the advocate general (AG) to the CJEU in connection with Maximilian Schrems vs. Data Protection Commissioner.

In June 2013, Maximilian Schrems, an Austrian student, filed a complaint with the Irish DPA. Schrems’ complaint related to the transfer of his personal data collected through his use of Facebook. Schrems’ Facebook data was transferred by Facebook Ireland to Facebook USA under the Safe Harbor program. The core claim in Schrems’ complaint is that the Safe Harbor program did not adequately protect his personal data, because Facebook USA is subject to U.S. government surveillance under the PRISM program.

The Irish DPA rejected Schrems’ complaint because Facebook was certified under the Safe Harbor Program. Schrems appealed to the High Court of Ireland, arguing that the Irish (or any other country’s) DPA has a duty to protect EU citizens against privacy violations, like access to their personal data as part of U.S. government surveillance. Since Schrems’ appeal relates to EU law (not solely Irish law), the Irish High Court referred Schrems’ appeal [...]

Continue Reading

The German Perspective: EU and U.S. Data Protection “Umbrella Agreement”

by Maximilian Baur and Paul Melot de Beauregard | Sep 29, 2015 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

After over four years of negotiations, the European Union and the United States have agreed on a framework data protection agreement on 8 September 2015 (Umbrella Agreement). The Umbrella Agreement covers all personal data exchanged between the European Union and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. According to the Q&A’s posted on the EU Commission’s website, the Umbrella Agreement shall “provide safeguards and guarantees of lawfulness for data transfers.”

During the negotiations, the Umbrella Agreement was widely criticized throughout the EU because EU citizens could not file lawsuits in the United States to enforce their data protection rights. The U.S. Privacy Act allows only U.S. residents to obtain redress for data privacy and protection violations. As part of the Umbrella Agreement, the U.S. Congress introduced an amendment to the U.S. Privacy Act known as the “Judicial Redress Bill.” If adopted, the Judicial Redress Bill will permit an EU citizen to use U.S. courts to (for example) have his or her name deleted from U.S. blacklists if the name was mistakenly included.

In Germany, first reactions by political commentators on the agreement are moderately optimistic and an important step to rebuild trust after the National Security Agency (NSA) spying revelations. More importantly, the Umbrella Agreement includes many of the same general data privacy and protection principles followed in Germany and other EU countries, including:

Limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences.
Onward transfer – Any onward transfer to a non-U.S., non-EU country or international organisation requires the prior consent of the competent data protection authority of the country from which the personal data was originally transferred.
Retention periods – Personal data may not be retained for longer than necessary or appropriate. The decision on what is an acceptable duration must take into account the impact on people’s rights and interests. Retention periods must be published or otherwise made publicly available.
Right to access and rectification – Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and to request corrections.

While the increased data protection and proposed Judicial Redress Bill are positive developments, some commentators in Germany criticize the Umbrella Agreement’s lack of a clear and easy process for data protection enforcement in the United States for EU citizens. The critics claim that most individuals will not even know when and if their data protection rights are violated.

The U.S. Congress and the EU Parliament and Council still must ratify the Umbrella Agreement, the full text of which is not yet available, but we expect that the Umbrella Agreement will unite the European Union and the United States on an increased level of data protection. We will report on the Umbrella Agreement again once its full text is made public.

Digital Due Diligence: Uncovering Violations in China

by Jared T. Nelson | Sep 18, 2015 | Data Privacy, Workplace Privacy

The strong correlation between economic instability and corruption is a worrying reality for China’s already challenging legal environment. Digital due diligence can be of huge value in uncovering violations, as long as it is utilized correctly.

Read the full article.