Data Privacy Archives - Page 14 of 35

Data Privacy

Data Broker’s Appeal to U.S. Supreme Court Could Reshape Future of Data Privacy Litigation

by McDermott Will & Emery | May 14, 2015 | Big Data, Consumer Protection, Data Privacy, General Interest

In a case that could shape the future of data privacy litigation, the Supreme Court recently agreed to review the decision by the U. S. Court of Appeals for the Ninth Circuit under the Fair Credit Reporting Act (FCRA) in Robins v. Spokeo, Inc. At issue is the extent to which Congress may create statutory rights that, when violated, are actionable in court, even if the plaintiff has not otherwise suffered a legally-redressable injury.

Spokeo is a data broker that provides online “people search capabilities” and “business information search” (i.e., business contacts, emails, titles, etc.). Thomas Robins (Robins) sued Spokeo in federal district court for publishing data about Robins that incorrectly represented him as married and having a graduate degree and more professional experience and money than he actually had. Robins alleged that Spokeo’s inaccurate data caused him actual harm by (among other alleged harms) damaging his employment prospects.

After some initial indecision, the district court dismissed the case in 2011 on the grounds that Robins had not sufficiently alleged any actual or imminent harm traceable to Spokeo’s data. Without evidence of actual or imminent harm, Robins did not have standing to bring suit under Article III of the U.S. Constitution. Robins appealed.

On February 4, 2014, the Court of Appeals for the Ninth Circuit announced its decision to reverse the district court, holding that the FCRA allowed Robins to sue for a statutory violation: “When, as here, the statutory cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages.” The Court of Appeals acknowledged limits on Congress’ ability to create redressable statutory causes of action but held that Congress did not exceed those limits in this case. The court held that “the interests protected” by the FCRA were “sufficiently concrete and particularized” such that Congress could create a statutory cause of action, even for individuals who could not show actual damages.

Why Spokeo Matters

If the Supreme Court reverses the Ninth Circuit’s decision, the decision could dramatically redraw the landscape of data privacy protection litigation in favor of businesses by requiring plaintiffs to allege and eventually prove actual damages. Such a ruling could severely limit lawsuits brought under several privacy-related statutes, in which plaintiffs typically seek statutory damages on behalf of a class without needing to show actual damages suffered by the class members. Litigation under the FCRA, the Telephone Consumer Protection Act and the Video Privacy Protection Act (among others statutes) all could be affected.

GPEN Children’s Privacy Sweep Announced

by McDermott Will & Emery | May 13, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest, Mobile Apps, Social Media

On 11 May 2015, the UK Information Commissioner’s Office (ICO), the French data protection authority (CNIL) and the Office of the Privacy Commissioner of Canada (OPCC) announced their participation in a new Global Privacy Enforcement Network (GPEN) privacy sweep to examine the data privacy practices of websites and apps aimed at or popular among children. This closely follows the results of GPEN’s latest sweep on mobile applications (apps),which suggested a high proportion of apps collected significant amounts of personal information but did not sufficiently explain how consumers’ personal information would be collected and used. We originally reported the sweep on mobile apps back in September 2014.

According to the CNIL and ICO, the purpose of this sweep is to determine a global picture of the privacy practices of websites and apps aimed at or frequently used by children. The sweep seeks to instigate recommendations or formal sanctions where non-compliance is identified and, more broadly, to provide valuable privacy education to the public and parents as well as promoting best privacy practice in the online space.

Background

GPEN was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development. GPEN aims to create cooperation between data protection regulators and authorities throughout the world in order to globally strengthen personal privacy. GPEN is currently made up of 51 data protection authorities across some 39 jurisdictions.

According to the ICO, GPEN has identified a growing global trend for websites and apps targeted at (or used by) children. This represents an area that requires special attention and protection. From 12 to 15 May 2015, GPEN’s “sweepers”—comprised of 28 volunteering data protection authorities across the globe, including the ICO, CNIL and the OPCC—will each review 50 popular websites and apps among children (such as online gaming sites, social networks, and sites offering educational services or tutoring). In particular, the sweepers will seek to determine inter alia:

The types of information being collected from children;
The ways in which privacy information is explained, including whether it is adapted to a younger audience (e.g., through the use of easy to understand language, large print, audio and animations, etc.);
Whether protective controls are implemented to limit the collection of childrens’ personal information, such as requiring parental permission prior to use of the relevant services or collection of personal information; and
The ease with which one can request for personal information submitted by children to be deleted.

Comment

We will have to wait some time for in-depth analysis of the sweep, as the results are not expected to be published until the Q3 of this year. As with previous sweeps, following publishing of the results, we can expect data protection authorities to issue new guidance, as well as write to those organisations identified as needing to improve or take more formal action where appropriate.

OCR Transmits Pre-Audit Screening Surveys to Covered Entities for Phase 2 HIPAA Compliance Audits

by Edward G. Zacharias, Daniel F. Gottlieb and Ryan S. Higgins | May 7, 2015 | Consumer Protection, Cybersecurity, Data Privacy, General Interest

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently transmitted HIPAA pre-audit screening surveys to covered entities that may be selected for a second phase of HIPAA compliance audits (Phase 2 Audits). OCR is required to conduct compliance audits of covered entities and business associates under the 2009 Health Information Technology for Economic and Clinical Health Act.

Unlike the pilot audits conducted in 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR is conducting Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive non-compliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

OCR had previously planned to issue the pre-audit screening surveys in the summer of 2014, but postponed their release until it completed its implementation of a new web portal that will be used for the submission of audit-related materials.

We will publish a fuller On the Subject regarding the Phase 2 Audits in the coming days.

Italian Data Privacy Authority’s Public Consultation on the Internet of Things

by Martino Sforza and Veronica Pinotti | May 6, 2015 | Consumer Protection, Cybersecurity, Data Privacy

On April 28, 2015, the Italian Data Privacy Authority (the Authority) launched a public consultation on the Internet of Things aimed at collecting contributions from stakeholders and assessing its potential impact on consumers’ privacy. This public consultation in Italy follows the opinion of the EU Article 29 Working Party of September 2014 and a more recent report of the U.S. Federal Trade Commission of January 2015, which had identified a number of issues and challenges in relation to the Internet of Things. Interested parties can submit their comments to the Authority by e-mail within 180 days of the publication in the Official Journal of the decision to launch the consultation (expected in the next few days).

This is an outstanding opportunity for stakeholders to provide their contribution on issues such as users’ profiling, data anonymization, the applicability of the data protection by design principles and the use of certification and authentication tools, in order to identify a set of best practices to ensure that compliance with data privacy rules does not constitute a limit to the development of Internet of Things technologies. The consultation might hopefully result in the adoption of specific guidance by the Authority on the application of data privacy rules to businesses active in the Internet of Things market, which currently face significant compliance issues.

DOJ Guidance for Victims of Cybercrime: The Dos and Do Nots of Cyber Preparedness

by Amy C. Pimentel | May 5, 2015 | Cybersecurity, Data Privacy, General Interest

On April 29, 2015, the Cybersecurity Unit in the Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice released a best practices document (Document) for victims of cyber incidents. The Document provides useful and practical tips that will assist organizations, regardless of size and available resources, in creating a cyber-incident response plan and responding quickly and effectively to cyber incidents. It iterates many of the important lessons that federal prosecutors and private sector companies have learned in handling cyber incidents, investigations, prosecutions and recoveries.

Assistant Attorney General Leslie Caldwell delivered a speech at the Criminal Division’s Cybersecurity Industry Roundtable on April 29, 2015, wherein she described the Document as “living,” and one that CCIPS will “continue to update as the challenges and solutions change over time.” Caldwell added that this Document is an example of the assistance CCIPS plans to continue to provide in order to elevate cybersecurity efforts and build better channels of communication with law enforcement.

Best Practices for Cybersecurity Preparedness

CCIPS recommends eight steps as part of an organization’s pre-planning activities to help limit computer damage, minimize work disruption, and maximize the ability of law enforcement to locate and apprehend perpetrators:

Identify your “Crown Jewels”—an organization’s most valued assets that warrant the most protection.
Have an actionable plan in place before an intrusion occurs—stressing the word “actionable,” CCIPS suggests organizations decide on specific, concrete procedures to follow in the event of a cyber incident.
Have appropriate technology and services in place—equipment, such as data back-up, intrusion detection capabilities, data-loss-prevention technologies, and devices for traffic filtering or scrubbing, should be installed, tested, and ready to deploy before a cyber incident occurs.
Have appropriate authorization in place to permit network monitoring—obtain employee consent to monitor and disclose, as necessary, their communications to facilitate early detection and response to a cyber incident.
Ensure your legal counsel is familiar with technology and cyber incident management—legal counsel who are conversant and accustomed to addressing issues associated with cyber attacks will speed up an organization’s decision-making process and reduce the organization’s response time.
Ensure organization policies align with the cyber incident response plan—preventative and preparatory measures should be implemented in all relevant organizational policies, such as human resources policies.
Engage with law enforcement before an incident—meeting and engaging with local federal law enforcement offices will facilitate interaction and establish a trusted relationship.
Establish a relationship with cyber information sharing organizations—information sharing organizations exist in every sector of critical infrastructure and may provide cybersecurity-related services.

The Cyber Incident Preparedness Checklist (included in the Document) succinctly outlines these eight steps, and is of practical use to an organization that is creating or improving its already-existing incident response plan. For an incident response plan, the Document provides explicit examples of the types of information an organization should evaluate when assessing the nature and scope of an incident. It also includes the information an organization should document in its initial assessment and the [...]

Continue Reading

Where Are We Now? The NIST Cybersecurity Framework One Year Later

by McDermott Will & Emery and Amy C. Pimentel | May 4, 2015 | Cybersecurity, Data Privacy, Workplace Privacy

The National Institute of Standards and Technology (NIST) released its Cybersecurity Framework (Framework) almost 15 months ago and charged critical infrastructure companies within the United States to improve their cybersecurity posture. Without question, the Framework has sparked a national conversation about cybersecurity and the controls necessary to improve it. With regulators embracing the Framework, industry will want to take note that a “voluntary” standard may evolve into a de facto mandatory standard.”

Read the full On the Subject on the NIST Cybersecurity Framework on the McDermott website.

Telehealth: Implementation Challenges in an Evolving Dynamic

by McDermott Will & Emery | Apr 28, 2015 | Big Data, Data Privacy, General Interest, Mobile Apps

As part of its four-part Digital Health webinar series, on April 14, 2015, McDermott Will & Emery presented “Telehealth: Implementation Challenges in an Evolving Dynamic.”

Telehealth (also known as telemedicine) generally refers to the use of technology to support the remote delivery of health care. For example:

A health care provider in one place is connected to a patient in another place by video conference
A patient uses a mobile device or wearable that enables a doctor to monitor his or her vital signs and symptoms
A specialist is able to rapidly share information with a geographically remote provider treating a patient

While the benefits of telehealth are clear – for example, making health care available to those in underserved areas and for patients who cannot regularly visit their providers but need ongoing monitoring — implementing telehealth requires providers and patients, as well as payers, to adapt to a dynamic new health care, data sharing and reimbursement delivery framework. The webinar explored these areas and more.

We are pleased to offer our readers access to the archived webinar and the slide presentation. If you have questions or would like to learn more, please contact Dale Van Demark.

Recent Decisions Narrow Scope of Liability under Video Privacy Protection Act

by McDermott Will & Emery | Apr 27, 2015 | Consumer Protection, Data Privacy, Mobile Apps

Two significant decisions under the Video Privacy Protection Act (VPPA) in recent weeks have provided new defenses to companies alleged to have run afoul of the statute. Bringing the long-running litigation against Hulu to a close–at least pending appeal–the court in In re: Hulu Privacy Litigation granted summary judgment in favor of Hulu, holding that the plaintiffs could not prove that Hulu knowingly violated the VPPA. A week later in a more recently filed case, Austin-Spearman v. AMC Network Entertainment, LLC, the court dismissed the complaint on the basis that the plaintiff was not a “consumer” protected by the VPPA. Both rulings provide comfort to online content providers, while also raising new questions as to the scope of liability under the VPPA.

In re: Hulu Privacy Litigation

In a decision with wide-ranging implications, the Hulu court granted summary judgment against the plaintiffs, holding that they had not shown that Hulu knowingly shared their video selections in violation of the VPPA. The plaintiffs’ allegations were based on Hulu’s integration of a Facebook “Like” button into its website. Specifically, the plaintiffs alleged that when the “Like” button loaded on a user’s browser, Hulu would automatically send Facebook a “c_user” cookie containing the user’s Facebook user ID. At the same time, Hulu would also send Facebook a “watch page” that identified the video requested by the user. The plaintiffs argued that Hulu’s transmission of the c_user cookie and the watch page allowed Facebook to identify both the Hulu user and that user’s video selection and therefore violated the VPPA.

The plaintiffs’ case foundered, however, on their inability to demonstrate that Hulu knew that Facebook’s linking of those two pieces of information was a possibility. According to the court, “there is no evidence that Hulu knew that Facebook might combine a Facebook user’s identity (contained in the c_user cookie) with the watch page address to yield ‘personally identifiable information’ under the VPPA.” Without showing that Hulu had knowingly disclosed a connection between the user’s identity and the user’s video selection, there could be no VPPA liability.

The court’s decision, if upheld on appeal, is likely to provide a significant defense to online content providers sued under the VPPA. Under the decision, plaintiffs must now be able to show not only that the defendant company knew that the identity and video selections of the user were disclosed to a third party, but also that the company knew that that information was disclosed in manner that would allow the third party to combine those pieces of information to determine which user had watched which content. While Hulu prevailed only at the summary judgment stage after four years of litigation, other companies could likely make use of this same rationale at the pleadings stage, insisting that plaintiffs set out a plausible case in their complaint that the defendant had the requisite level of knowledge.

Austin Spearman v. AMC Network Entertainment

The AMC decision turned on the VPPA’s definition of the term “consumer” and illustrated how that seemingly [...]

Continue Reading

Argentina Adopts New Data Protection Regulations for the Use of Do Not Call Registry and CCTV

by Effie D. Silva | Apr 24, 2015 | Consumer Protection, Data Privacy, Uncategorized

The Argentinian Data Protection Authority (DPA) beefs up penalties to fight robocalls and unconsented-to video surveillance by enacting Do Not Call and CCTV regulations.

Because robocalls are cheap and efficient, they have become a quite popular form of advertising in Argentina. In order to curb the variety of abuses that can come from robocalling–such as deceptive and abusive marketing–Argentina is injecting into their regulatory regime penalty-driven regulations that will address the problems presented by robocalls. This will preserve their beneficial use while still complying with Argentina’s privacy law requirements. Specifically, the February 2015 sanctions regulation addresses the recently adopted national Do Not Call registry that was implemented at the start of this year.

To comply with the Do Not Call regulations, companies need to register and download the database of individuals who do not want to be called. If companies fail to do so, they can be subject to various serious fines of up to USD $12,000. Examples of serious breaches include the processing of personal data without the DPA registration or breach of the Do Not Call regulation in marketing campaigns (even if the caller is located abroad). Any international transfers in breach of the Data Protection Act and its regulations would be considered a more serious breach. Indeed, the DPA has already issued 60 enforcement notices based on this new sanctions regulation.

In February, the DPA also enacted a law regulating the use of closed-circuit television (CCTV) cameras for video surveillance in the private and public sphere. The new CCTV regulation requires data controllers to apply, if possible, notice and consent provisions to CCTV-related data processing. It also requires that a conspicuous sign be included for the purpose of informing the data subject of the name and domicile of the data controller, as well as where to exercise the data protection rights. Additionally, CCTV databases must be registered and the personal data collected shall not be used for any purpose incompatible with that which gives rise to their collection. It is important to note that some CCTV processing is exempted from consent, such as public government databases and processing data within private property for private purposes.

These regulations were enacted in an effort to round out and complete Argentina’s privacy legal framework.

National Roadmap for Health Data Sharing: FTC Advocates Preservation of Privacy and Competition

by Carla A. R. Hine and Jennifer S. Geetter | Apr 17, 2015 | Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Ecommerce, Mobile Apps

On April 1, 2015, the Office of the National Coordinator for Health Information Technology (ONC), which assists with the coordination of federal policy on data sharing objectives and standards, issued its Shared Nationwide Interoperability Roadmap and requested comments. The Roadmap seeks to lay out a framework for developing and implementing interoperable health information systems that will allow for the freer flow of health-related data by and among providers and patients. The use of technology to capture and understand health-related information and the strategic sharing of information between health industry stakeholders and its use is widely recognized as critical to support patient engagement, improve quality outcomes and lower health care costs.

On April 3, 2015, the Federal Trade Commission issued coordinated comments from its Office of Policy Planning, Bureau of Competition, Bureau of Consumer Protection and Bureau of Economics. The FTC has a broad, dual mission to protect consumers and promote competition, in part, by preventing business practices that are anticompetitive or deceptive or unfair to consumers. This includes business practices that relate to consumer privacy and data security. Notably, the FTC’s comments on the Roadmap draw from both its pro-competitive experience and its privacy and security protection perspective, and therefore offer insights into the FTC’s assessment of interoperability from a variety of consumer protection vantage points.

The FTC agreed that ONC’s Roadmap has the potential to benefit both patients and providers by “facilitating innovation and fostering competition in health IT and health care services markets” – lowering health care costs, improving population health management and empowering consumers through easier access to their personal information. The concepts advanced in the Roadmap, however, if not carefully implemented, can also have a negative effect on competition for health care technology services. The FTC comments are intended to guide ONC’s implementation with respect to: (1) creating a business and regulatory environment that encourages interoperability, (2) shared governance mechanisms that enable interoperability, and (3) advancing technical standards.

Taking each of these aspects in turn, creating a business and regulatory environment that encourages interoperability is important because, if left unattended, the marketplace may be resistant to interoperability. For example, health care providers may resist interoperability because it would make switching providers easier and IT vendors may see interoperability as a threat to customer-allegiance. The FTC suggests that the federal government, as a major payer, work to align economic incentives to create greater demand among providers for interoperability.

With respect to shared governance mechanisms, the FTC notes that coordinated efforts among competitors may have the effect of suppressing competition. The FTC identifies several examples of anticompetitive conduct in standard setting efforts for ONC’s consideration as it considers how to implement the Roadmap.

Finally, in advancing core technical standards, the FTC advised ONC to consider how standardization could affect competition by (1) limiting competition between technologies, (2) facilitating customer lock-in, (3) reducing competition between standards, and (4) impacting the method for selecting standards.

As part of its mission to protect consumers, the FTC focuses its privacy and security [...]

Continue Reading