Global Privacy and Security Compliance Law Blog - Commentary on global privacy and security issues of today

By Jennifer Archie and Kevin Boyle 

A California state judge has dismissed a state enforcement action against our client Delta Air Lines arising out of the alleged failure to timely post a privacy policy specific to its Fly Delta App in a manner that was reasonably accessible to smartphone users.

In what Law360 characterized as a “major blow to California's attorney general in the first test of California's Online Privacy Protection Act,” on May 9, 2013, Superior Court Judge Marla J. Miller concluded that Attorney General Kamala D. Harris’ complaint failed because the federal Airline Deregulation Act (“ADA”) completely pre-empts the State’s attempted consumer protection enforcement action against an air carrier.  The ADA provides that a State cannot “enact or enforce a law … related to a price, route, or service of an air carrier.”  49 U.S.C. §41713(b)(1).

Additional coverage on the decision is available from Bloomberg and Law360.

The key briefs in the matter are here, here and here.

The Attorney General’s press release announcing the lawsuit is available here. 

We will post the transcript and decision when available.

By Jennifer Archie

On Friday, Feb. 1, 2013, following the now expected series of public workshops and roundtables and well-timed enforcement actions, the Federal Trade Commission Staff issued a new 36-page staff report, Mobile Privacy Disclosures: Building Trust Through Transparency.  The Report summarizes past actions and guidance, and makes new recommendations for clearly and transparently informing users about mobile data practices in the “rapidly expanding mobile marketplace.” 

The report makes distinct recommendations for meeting fair information practices for mobile operating systems (Apple iOS, Google Android, Windows Phone, along with the App stores for each), ad networks, and app developers, and solicits innovation and support from academia and industry trade associations in developing meaningful, consistent disclosure rules and practices. 

The most meaningful disclosures are those which are connected to a user’s primary activity, in real time, the Staff acknowledges.  Policies should be available through links in readily available locations (pre- and post-download), but “just-in-time” disclosures, particularly for sensitive items such as location or collection of personal data from the phone (contacts, photos and the like), are an important compliment.  A disclosure is best made proximate in time and “place” to a user’s particular goal: whether it be making a purchase or uploading or viewing content or playing a game. 

And beyond merely linking out to a full policy, the Report favors accessibility and readability in the small screen environment.  Reading a full-size privacy policy on a mobile device can be challenging, particularly if it is presented without (as one participant in the workshop preceding the Report put it) “a clear visual hierarchy to draw attention to the key points of the documents,” such as “numeric outline, bullet points, and icons to help make it clear and digestible.”  (The Work shop materials, including slide presentations available at http://www.ftc.gov/bcp/workshops/inshort/index.shtml.)

Although the Report principally highlighted the “transparency” principle (post a policy; just in time disclosures), a closer read indicates the FTC Staff remain very focused on privacy by design concepts articulated in past reports, including reasonable collection limitations and disposal periods.  Mobile devices can collect a great deal of data over time, which will “reveal the habits and patterns that mark the distinction between a day in the life and a way of life.”  Such data accumulation, even if not sold to or shared with third parties, is as susceptible to theft or inadvertent loss and therefore, long acknowledged consumer harms such as stalking or identity theft.  Many a data breach incident – and the attendant expense of disclosures and private party claims and lawsuits – would have been avoided by timely destruction of data after it has served its intended business purposes.  Companies collecting data from mobile devices should be very thoughtful (i.e., intentional) in their choices about what data to collect, how long to store it, and with whom it should be shared due to these heightened privacy sensitivities and bear in mind that the FTC is joined in its concern by other regulators (for example the FCC, California AG, the UK’s ICO and China’s MIIT).

For companies collecting unique data elements through their Apps (who often outsource development to third parties), it is more important than ever to have a procedure in place to review the privacy implications of new mobile products and services, new servicing arrangements, and new marketing or other business partner arrangements.  In the App space, companies should avoid risks arising from major consumer brands partnering with weak or unsophisticated app development teams who do not understand the operating systems, ad sharing networks, analytics or other necessary technical building blocks to an accurate and fully implemented privacy policy. 

Companies should also consider the effectiveness of the management information systems, monitoring procedures, and training programs for staff who are making and implementing decisions about what data elements are collected from smartphones, how they are combined with other profiling data, how they are shared, whether they are monetized in any way, and the role of analytics and ad networks.

To manage risks of litigation or enforcement action, companies need to draft and post  a visually appealing, readable privacy policy – backed up by excellent just in time disclosures – that accurately and completely discloses what information is collected, how it is stored, used, disclosed, and secured, and whether end user choices and preferences exist and function as intended.  The cornerstone of that effort in large organizations is a core of designated personnel, with assigned duties, well published within the company, who are integrated into all new releases of mobile products and services.

By Susan Ambler Ebersole

HHS today published the long-awaited HIPAA/HITECH omnibus final rule.  A pre-publication version of the Rule was released on January 17.  The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply.  While Latham & Watkins is still engaged in a comprehensive review of the entire final rule, some of the more notable changes and clarifications in the final rule, as compared to the interim final rule, are:

• Business associates are now directly liable for compliance with certain HIPAA Privacy and Security Rule obligations: impermissible uses and disclosures; failure to provide breach notification to a covered entity; failure to provide access to a copy of electronic protected health information (ePHI) to a covered entity, the individual, or the individual’s designee; failure to disclose PHI when required by the Secretary to investigate or determine the business associate’s compliance with HIPAA; failure to provide an accounting of disclosures; and failure to comply with the requirements of the Security Rule.
• The definition of business associate has been modified to clarify that a business associate includes an entity that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity.  This change was made specifically “to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information.”
• Covered entities can no longer choose not to report a breach if they determine that it does not pose “a significant risk of financial, reputational, or other harm to the individual.”  Instead, an unauthorized use, access, or disclosure of PHI “is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: (i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (ii) The unauthorized person who used the protected health information or to whom the disclosure was made; (iii) Whether the protected health information was actually acquired or viewed; and (iv) The extent to which the risk to the protected health information has been mitigated” (emphasis added).  This presumption substantially increases reporting obligations for covered entities and business associates alike, and will likely result in many more reported breaches.
• The number of individuals affected, the time period during which the violations occurred, and the organization’s history of compliance or non-compliance will be considered when assessing Civil Monetary Penalties (CMPs).  The Secretary “may move directly to a civil monetary penalty without exhausting informal resolution efforts at her discretion, particularly in cases involving willful neglect violations.”  Willful neglect is defined by the Rule as “conscious, intentional failure or reckless indifference to the obligation to comply.”  The tiered penalty structure set forth in the HITECH Act has been expressly incorporated, with penalties increased based on the level of negligence and a $1.5 million maximum penalty per violation.
• The definition of “marketing” has been expanded to encompass all communications subsidized by the manufacturer of a product or service.  The only exception is for communications about drugs and biologics that a patient is being treated with, including generics. A covered entity must obtain individual authorization prior to sending marketing communications.  A covered entity must also obtain express written individual authorization before selling PHI, subject to certain exceptions.
• Changes to covered entities’ Notices of Privacy Practices to reflect the changes in the Rule are required.
• Breaches affecting fewer than 500 individuals must be reported within 60 days after the end of the calendar year in which they were discovered, not occurred.
• Notification to the Secretary must occur contemporaneously with notification to individuals for breaches affecting more than 500 individuals.
• Enhanced privacy protections for genetic information have been incorporated as required by the Genetic Information Non-Discrimination Act of 2008 (GINA).

In HHS’s press release, Director of the Office for Civil Rights Leon Rodriquez commented that the final omnibus rule "marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."

The above are some highlights that may be most relevant to covered entities and business associates in assessing how best to adjust their practices in order to comply with the changes in the Rule.  Please watch for further details and a more in-depth analysis to come in a Latham & Watkins Client Alert.

Recently Jan Philipp Albrecht, rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee, the lead committee considering the proposed draft General Data Protection Regulation, published the committee’s suggested amendments to the original draft regulation.  The reports runs to over 200 pages and contains over 350 separate amendments.

Since the original draft regulation was published in January of last year, businesses, industry bodies and regulators have been lobbying the European Commission, Council and Parliament to try and change some of the more onerous provisions and eliminate unnecessary burdens on organisations. 

We have blogged previously about the need for a “risk based” approach that does not impose onerous controls on all businesses but instead looks at the risk posed by the data processing in question. Whilst the Council recognizes that the proposal of the European Commission needs to be amended to lower the burden on companies, the amendments do little to address those concerns.

Amendments lowering the burden on industry using the “risk based approach” are few and far between, however, one positive example is the change in the threshold which triggers the requirement to appoint a data protection officer. The amendments suggest the requirement is triggered if an organisation processes the data of more than 500 data subjects; opposed to DPO being required if an organisation has more than 250 employees irrespective of the activities of the company.

The report does not, however, consider the concerns raised by businesses in relation to other significant areas.  For example, the amendments further narrow the grounds that can be relied on to satisfy the legal basis required to process personal data in the first place - they significantly curtail the right to process personal data based on the legitimate interests ground, forcing companies to gain consent in areas where none is currently required. In addition, Albrecht would further increase the already very high standard for obtaining valid consent to a level that is arguably impracticable and unnecessary including eliminating the ability of businesses to use any type of default option that needs modifying by the user (e.g. the infamous pre-checked box). The amendments also state that businesses in a dominant market position may not be able to seek valid consent due to the imbalance of power between user and data controller, nor can consent be valid where unilateral changes are made to terms and conditions and the only option is for a user to cease using the service where a user has invested time in such resource. These changes, which would apply across the board, could impose serious roadblocks to business and take no account of the inherent risk of the underlying processing.

There are significant changes to the export rules which require the review of the current approved methods of export (e.g. the white list countries, US Safe Harbor and the Model Clauses) within two years of the date the regulation comes into force, at which time the existing methods will otherwise become invalid. There is also a sense of de-ja-vu as the prohibition on businesses providing data in response to requests from overseas government bodies without the relevant treaty having being followed or express regulatory approval is re-introduced. This prohibition appeared in the initial leaked drafts of the proposed Regulation but was removed by the time the official draft was issued partly due to pressure from the US arguing that this would inhibit international law enforcement and was not in the public interest.

The amendments suggested expand the Regulation’s extra-territorial application to any business monitoring EU residents (rather than just those that monitor their behaviour) as well as making clear the rules apply to any business offering products and services to EU residents, even if such goods or services are free. Of course, this will only work if there is a realistic prospect of enforcement against overseas companies, which requires the overseas regulators to be on board.  

It is not all bad news for businesses though, there are some positives such as the time limit for reporting data breaches being extended to 72 hours, removal of a number of areas in which delegated acts could be made which gave the Commission the right to further change the rules (which should provide greater certainty in some areas) and further curtailments to the much debated right to be forgotten.

Still, all in all the proposal is a significant setback for business and drives yet another wedge between the US and EU on these issues, which--if the amendments are adopted--will make it harder for businesses to roll out a consistent business model and less likely that the US authorities will assist the EU in enforcement negating the practical effect of the extra-territorial jurisdiction. 

By Tess Waldron

As has been widely reported, on 6 November 2012 the ICO fined Prudential £50,000 for what was described by the ICO’s head of enforcement, Stephen Eckersley, as a case that “would be considered farcical were it not for the serious sums of money involved”.

The breach originally occurred in 2007, when the records of two individuals with the same first name, surname and date of birth were erroneously merged, causing thousands of pounds meant for one individual’s retirement to end up in the wrong account.  Despite the fact that the issue was brought to the attention of Prudential on more than one occasion, it took three years to remedy the situation, including a delay of six months following receipt of a letter from one of the customers involved pointing out that his address had not changed for 15 years.  The ICO indicated that the penalty imposed related to this six-month period, during which the company “failed to investigate thoroughly”.

This decision is notable as it is one of the few times that a fine is imposed on the private sector and that an entity has received a penalty for anything other than data loss.  However, it may well not be the last.  As Mr Eckersley observed:

While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information.  Inaccurate information on a customer’s record … can have a significant impact on someone’s life.  We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate.

In handing out this penalty the ICO has ensured that it is not just data losses that will be making headlines in the future (the story was one of the most-read items on BBC Business) and made it clear that fines may be imposed for other breaches of the Data Protection Act which cause significant harm.

This post was prepared with the assistance of Jaime Hall, a trainee solicitor in the London office of Latham & Watkins.