The draft transcript of the May 9, 2013 oral argument and decision on the record are now available here.
In what Law360 characterized as a “major blow to California's attorney general in the first test of California's Online Privacy Protection Act,” on May 9, 2013, Superior Court Judge Marla J. Miller concluded that Attorney General Kamala D. Harris’ complaint failed because the federal Airline Deregulation Act (“ADA”) completely pre-empts the State’s attempted consumer protection enforcement action against an air carrier. The ADA provides that a State cannot “enact or enforce a law … related to a price, route, or service of an air carrier.” 49 U.S.C. §41713(b)(1).
The Attorney General’s press release announcing the lawsuit is available here.
We will post the transcript and decision when available.
In recent weeks, many Hong Kong businesses have circulated emails to contacts in their customer databases, offering recipients the ability to “opt out” of future direct marketing. This is in response to the introduction of a new Part VI A (effective as of 1 April 2013) into Hong Kong’s Personal Data (Privacy) Ordinance (the “PDPO”). Under this Part VI A, companies are obliged to meet certain new requirements in respect of their use of personal data for direct marketing purposes.
Under the new regulatory regime, subject to grandfathering provisions applicable to existing data (explained in more detail below), a data user cannot use a data subject’s personal data in direct marketing after 1 April 2013 unless that data user first:
- informs the data subject that the data user intends to use his personal data in direct marketing and that the data user may not do so without his consent;
- informs the data subject of the type of personal data to be used for, and the subject of such direct marketing (e.g. the services or goods to be offered);
- provides a free response channel through which the data subject may indicate whether he consents to the intended use of his personal data; and
- is in receipt of the data subject’s consent to the intended use of his personal data (which, according to guidance published by the Hong Kong Privacy Commissioner, must be by active “opt-in” by the data subject, not by silence);
The grandfathering provisions in the PDPO will waive the above obligations if, prior to 1 April 2013, (i) the data subject had been explicitly informed by the data user of the intended use or use of his personal data in direct marketing in relation to the class of marketing subjects, (ii) the data user had used any of the data for such marketing, (iii) the data subject had not “opted out” of such use and (iv) the data user was in compliance with the PDPO provisions in force at the time of the use. Note, however, that even if the grandfathering provisions apply, a data subject always has the right to opt out as discussed in the next paragraph.
Data user must continue to ensure compliance with the following requirements after 1 April 2013 (which cannot be waived by the grandfathering provisions):
- when using the data subject’s personal data in direct marketing for the first time, the data user shall inform the data subject of his “opt-out” right; and
- the data user shall, at any time, terminate use of the data subject’s personal data in direct marketing should such request (if any) be made by the data subject.
Breach of the provisions set out above may constitute an offence for which maximum liability upon conviction is a $500,000 fine and imprisonment for three years.
Under the new regime, provisions similar to those set out above exist to prohibit a data user from providing a data subject’s personal data to another person for that other person’s use in direct marketing unless certain requirements are complied with. Maximum liability upon conviction for certain offences involving such provision of data to another is a $1,000,000 fine and imprisonment for five years, if that data is provided for gain.
The PDPO provides certain general statutory exemptions from the above provisions. So long as personal data is not provided to a third party for gain, neither of the restrictions apply where the services being directly marketed are (i) social services run or financially supported by the Hong Kong Social Welfare Department, (ii) health care services provided by the Hong Kong Hospital Authority or Department of Health, or (iii) any other social or health care services the deprivation of which would be likely to cause serious harm to physical or mental health.
The Guidance advises that the Hong Kong Privacy Commissioner “would generally take the view that it would not be appropriate to enforce” the above provisions of the PDPO in those “clear-cut” cases where:
- the content directly marketed to a data subject is “clearly” intended for the use of the corporation for which the data subject works and not for the data subject’s personal use; and
- the data subject’s personal data used in the marketing was collected in the data subject’s “official capacity” (e.g. the personal data comprises contact details for the purpose of receiving communications in the individual’s professional role, not their personal capacity).
However, it is important to note that marketing to individuals in reliance on these exemptions is not without risk, as the Guidance is purely advisory, and does not offer a statutory exemption.
This post was prepared with the assistance of Scarlett Jennings in the Hong Kong office of Latham & Watkins.
On Friday, Feb. 1, 2013, following the now expected series of public workshops and roundtables and well-timed enforcement actions, the Federal Trade Commission Staff issued a new 36-page staff report, Mobile Privacy Disclosures: Building Trust Through Transparency. The Report summarizes past actions and guidance, and makes new recommendations for clearly and transparently informing users about mobile data practices in the “rapidly expanding mobile marketplace.”
The report makes distinct recommendations for meeting fair information practices for mobile operating systems (Apple iOS, Google Android, Windows Phone, along with the App stores for each), ad networks, and app developers, and solicits innovation and support from academia and industry trade associations in developing meaningful, consistent disclosure rules and practices.
The most meaningful disclosures are those which are connected to a user’s primary activity, in real time, the Staff acknowledges. Policies should be available through links in readily available locations (pre- and post-download), but “just-in-time” disclosures, particularly for sensitive items such as location or collection of personal data from the phone (contacts, photos and the like), are an important compliment. A disclosure is best made proximate in time and “place” to a user’s particular goal: whether it be making a purchase or uploading or viewing content or playing a game.
Although the Report principally highlighted the “transparency” principle (post a policy; just in time disclosures), a closer read indicates the FTC Staff remain very focused on privacy by design concepts articulated in past reports, including reasonable collection limitations and disposal periods. Mobile devices can collect a great deal of data over time, which will “reveal the habits and patterns that mark the distinction between a day in the life and a way of life.” Such data accumulation, even if not sold to or shared with third parties, is as susceptible to theft or inadvertent loss and therefore, long acknowledged consumer harms such as stalking or identity theft. Many a data breach incident – and the attendant expense of disclosures and private party claims and lawsuits – would have been avoided by timely destruction of data after it has served its intended business purposes. Companies collecting data from mobile devices should be very thoughtful (i.e., intentional) in their choices about what data to collect, how long to store it, and with whom it should be shared due to these heightened privacy sensitivities and bear in mind that the FTC is joined in its concern by other regulators (for example the FCC, California AG, the UK’s ICO and China’s MIIT).
Companies should also consider the effectiveness of the management information systems, monitoring procedures, and training programs for staff who are making and implementing decisions about what data elements are collected from smartphones, how they are combined with other profiling data, how they are shared, whether they are monetized in any way, and the role of analytics and ad networks.
By Omar Elsayed
Although some surveys of privacy law suggest otherwise, privacy requirements do in fact exist in the Kingdom of Saudi Arabia (KSA)and are very relevant to companies operating there or seeking to provide services to customers in KSA.
The paramount body of law in KSA is the Sharīʿah. The Sharīʿah is comprised of a collection of fundamental principles derived from a number of different sources, which include the Holy Qu’ran and the Sunnah, which are the witnessed sayings and actions of the Prophet Mohammed.
Prohibited acts under Sharīʿah are punishable by specific penalties set out in the Holy Qu’ran or the Sunnah. However, where the Holy Qu’ran and the Sunnah are silent in that regard, a judge may use his discretion to determine the appropriate penalty. Such penalties may include imprisonment, monetary compensation and/or deprivation of certain rights. In determining the severity of a penalty, a judge will take into consideration the damage suffered by a victim and whether such damage is actual or consequential. In general, however, only actual proven damages are awarded by Saudi Arabian adjudicatory bodies.
Previous decisions of the Saudi Arabian adjudicatory bodies generally do not establish a binding precedent for the decision of later cases and the principle of stare decisis is not accepted in KSA. In addition, enacted legislation and the decisions of the various Saudi Arabian adjudicatory bodies are not generally or consistently indexed and collected in a central place or made publicly available.
Data Protection under Sharīʿah Principles
Sharīʿah principles protect each individual’s right to privacy and prohibit any invasions thereon. Under Sharīʿah principles, disclosure of secrets is prohibited except inter-alia where the owner of the relevant secret agrees to such disclosure or if the public interest requires so. The Holy Qu’ran and the Sunnah do not stipulate a penalty for disclosure of secrets; however, as explained above, such disclosure may be punishable by a penalty that a judge, in his discretion, deems appropriate and equitable. Such penalty may include a fine, imprisonment or deprivation of certain rights such as suspension of a practicing license.
Data Protection under Saudi Arabian Law
In general, there is no specific data protection law in KSA. Therefore, in the absence of specific provisions on data protection, Saudi Arabian courts and adjudicatory bodies will interpret Data privacy violations under general Sharīʿah principles, which are, as explained above, often expressed in general terms and afford courts and adjudicatory bodies considerable discretion. We understand, however, that a new personal data protection law is under review by the Shura Council.
Cyber Data Protection
The KSA Anti-Cyber Crime Law punishes any person that illegally:
- accesses the computer of another for the purpose of deleting, destroying, altering, or redistributing its information by a fine not exceeding 3,000,000 Saudi Riyals (approximately US$ 800,000) and/or imprisonment for a period not exceeding four years;
- accesses the bank or credit information of another or information pertaining to its owned securities by a fine not exceeding 2,000,000 Saudi Riyals (approximately US$ 533,333) and/or imprisonment for a period not exceeding three years; and
- interrupts data that is transmitted through a computer or an information network by a fine not exceeding 500,000 Saudi Riyals (approximately US$ 133,333) and/or imprisonment for a period not exceeding one year.
Employee Data Protection
KSA laws do not stipulate any procedures which employers must follow for the transfer of employee data outside of KSA. However, given general Sharīʿah principles and the proposed personal data protection law, multinational employers in KSA would probably benefit from including provisions in their employment contracts whereby the employees consent to the use or disclosure of their data to third parties to the extent such disclosures are anticipated or possible.
Patient Data Protection
The KSA Healthcare Practice Code requires that a health practitioner safeguard the secrets of patients which he comes across while carrying out his profession except inter-alia where written approval of the relevant patient is obtained. Violators of such confidentiality requirements can be subject to a fine not exceeding 20,000 Saudi Riyals (approximately US$ 5,333) and other disciplinary penalties such as the suspension of practicing license. Such penalties may be increased based on the severity of the relevant breach or its reoccurrence.
Telecom Data Protection
The KSA Telecommunications Law restricts the disclosure of information that is intercepted during its transmission. Violators of such restrictions can be subject to a fine not exceeding 5,000,000 Saudi Riyals (approximately US$ 1,333,333). In addition, the Telecommunications Law restricts providers of telecom and internet services from disclosing information regarding their subscribers to third parties or from allowing individuals to monitor the communications of their subscribers.
Registration and Export of Personal Data
There are no specific requirements in respect of collection, registration or export of personal data under KSA legislation. It is, however, advisable to obtain the consent of the data subject prior to any export of their personal data to avoid breach of the general Sharīʿah principles.
This post was prepared with the assistance of Noor Al-Fawzan in the Riyadh office of Latham & Watkins.
HHS today published the long-awaited HIPAA/HITECH omnibus final rule. A pre-publication version of the Rule was released on January 17. The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply. While Latham & Watkins is still engaged in a comprehensive review of the entire final rule, some of the more notable changes and clarifications in the final rule, as compared to the interim final rule, are:
- Business associates are now directly liable for compliance with certain HIPAA Privacy and Security Rule obligations: impermissible uses and disclosures; failure to provide breach notification to a covered entity; failure to provide access to a copy of electronic protected health information (ePHI) to a covered entity, the individual, or the individual’s designee; failure to disclose PHI when required by the Secretary to investigate or determine the business associate’s compliance with HIPAA; failure to provide an accounting of disclosures; and failure to comply with the requirements of the Security Rule.
- The definition of business associate has been modified to clarify that a business associate includes an entity that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity. This change was made specifically “to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information.”
- Covered entities can no longer choose not to report a breach if they determine that it does not pose “a significant risk of financial, reputational, or other harm to the individual.” Instead, an unauthorized use, access, or disclosure of PHI “is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: (i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (ii) The unauthorized person who used the protected health information or to whom the disclosure was made; (iii) Whether the protected health information was actually acquired or viewed; and (iv) The extent to which the risk to the protected health information has been mitigated” (emphasis added). This presumption substantially increases reporting obligations for covered entities and business associates alike, and will likely result in many more reported breaches.
- The number of individuals affected, the time period during which the violations occurred, and the organization’s history of compliance or non-compliance will be considered when assessing Civil Monetary Penalties (CMPs). The Secretary “may move directly to a civil monetary penalty without exhausting informal resolution efforts at her discretion, particularly in cases involving willful neglect violations.” Willful neglect is defined by the Rule as “conscious, intentional failure or reckless indifference to the obligation to comply.” The tiered penalty structure set forth in the HITECH Act has been expressly incorporated, with penalties increased based on the level of negligence and a $1.5 million maximum penalty per violation.
- The definition of “marketing” has been expanded to encompass all communications subsidized by the manufacturer of a product or service. The only exception is for communications about drugs and biologics that a patient is being treated with, including generics. A covered entity must obtain individual authorization prior to sending marketing communications. A covered entity must also obtain express written individual authorization before selling PHI, subject to certain exceptions.
- Changes to covered entities’ Notices of Privacy Practices to reflect the changes in the Rule are required.
- Breaches affecting fewer than 500 individuals must be reported within 60 days after the end of the calendar year in which they were discovered, not occurred.
- Notification to the Secretary must occur contemporaneously with notification to individuals for breaches affecting more than 500 individuals.
- Enhanced privacy protections for genetic information have been incorporated as required by the Genetic Information Non-Discrimination Act of 2008 (GINA).
In HHS’s press release, Director of the Office for Civil Rights Leon Rodriquez commented that the final omnibus rule "marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."
The above are some highlights that may be most relevant to covered entities and business associates in assessing how best to adjust their practices in order to comply with the changes in the Rule. Please watch for further details and a more in-depth analysis to come in a Latham & Watkins Client Alert.
By Li Jie Han
On December 28, 2012, the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China adopted the Decision on Strengthening the Protection of Online Information (“Decision”). The Decision contains twelve (12) clauses, which are applicable to entities in both the public and private sectors in respect of the collection and processing of electronic personal information on the Internet.
The Decision sets forth a number of provisions specifically governing the activities of Internet service providers (“ISPs”), other business enterprises and non-profit enterprises that handle electronic personal information. Each of these entities must:
- explicitly state the purpose, means and scope of their collection and use of electronic personal information, publicize their relevant policies, and obtain the consent of the subjects for the collection and use;
- keep collected electronic personal information in strict confidentiality, and shall not disclose, alter or destroy the collected electronic personal information, or not sell or illegally provide such information to other persons;
- adopt technical and other necessary measures to ensure the safety of electronic personal information, and should promptly take remedial measures when such information is disclosed, damaged or lost;
- adopt information security safeguards and take prompt remedial measures in case that they discover users distributing information illegally and notify relevant government agencies.
- refrain from sending messages without consent (or in contravention of directions not to send) to fixed telephones, mobile telephones and individual e-mail boxes
Notably, ISPs must require users to furnish authentic identity information when providing access or information related services to the users. This provision, which could potentially undermine the protection of personal privacy, has been most widely reported. Nevertheless, the other provisions, though limited to electronic personal information and thus somewhat narrow in scope, provide additional protection especially in commercial contexts and thus warrant attention form a compliance standpoint.
The provisions under the Decision set out basic principles and are comparatively brief. It is expected that the NPC or other government agencies, e.g., the Ministry of Industry and Information technology (MIIT), will pass further legislation to clarify and substantiate these provisions. In the meantime, those companies collecting personal information through their websites operated within the PRC should make sure they fully and fairly disclose the type of personal information being collected and the purposes for which it will be used. The mechanisms for doing this should be reasonable based on how sensitive the data is and how intrusive the use.
The Decision in Chinese language together with a English translation is available here: http://chinacopyrightandmedia.wordpress.com/2012/12/28/national-peoples-congress-standing-committee-decision-concerning-strengthening-network-information-protection.
Proposed amendments to draft EU Data Privacy Regulation imposes major constraints on processing and export of Personal Data
Recently Jan Philipp Albrecht, rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee, the lead committee considering the proposed draft General Data Protection Regulation, published the committee’s suggested amendments to the original draft regulation. The reports runs to over 200 pages and contains over 350 separate amendments.
Since the original draft regulation was published in January of last year, businesses, industry bodies and regulators have been lobbying the European Commission, Council and Parliament to try and change some of the more onerous provisions and eliminate unnecessary burdens on organisations.
We have blogged previously about the need for a “risk based” approach that does not impose onerous controls on all businesses but instead looks at the risk posed by the data processing in question. Whilst the Council recognizes that the proposal of the European Commission needs to be amended to lower the burden on companies, the amendments do little to address those concerns.
Amendments lowering the burden on industry using the “risk based approach” are few and far between, however, one positive example is the change in the threshold which triggers the requirement to appoint a data protection officer. The amendments suggest the requirement is triggered if an organisation processes the data of more than 500 data subjects; opposed to DPO being required if an organisation has more than 250 employees irrespective of the activities of the company.
The report does not, however, consider the concerns raised by businesses in relation to other significant areas. For example, the amendments further narrow the grounds that can be relied on to satisfy the legal basis required to process personal data in the first place - they significantly curtail the right to process personal data based on the legitimate interests ground, forcing companies to gain consent in areas where none is currently required. In addition, Albrecht would further increase the already very high standard for obtaining valid consent to a level that is arguably impracticable and unnecessary including eliminating the ability of businesses to use any type of default option that needs modifying by the user (e.g. the infamous pre-checked box). The amendments also state that businesses in a dominant market position may not be able to seek valid consent due to the imbalance of power between user and data controller, nor can consent be valid where unilateral changes are made to terms and conditions and the only option is for a user to cease using the service where a user has invested time in such resource. These changes, which would apply across the board, could impose serious roadblocks to business and take no account of the inherent risk of the underlying processing.
There are significant changes to the export rules which require the review of the current approved methods of export (e.g. the white list countries, US Safe Harbor and the Model Clauses) within two years of the date the regulation comes into force, at which time the existing methods will otherwise become invalid. There is also a sense of de-ja-vu as the prohibition on businesses providing data in response to requests from overseas government bodies without the relevant treaty having being followed or express regulatory approval is re-introduced. This prohibition appeared in the initial leaked drafts of the proposed Regulation but was removed by the time the official draft was issued partly due to pressure from the US arguing that this would inhibit international law enforcement and was not in the public interest.
The amendments suggested expand the Regulation’s extra-territorial application to any business monitoring EU residents (rather than just those that monitor their behaviour) as well as making clear the rules apply to any business offering products and services to EU residents, even if such goods or services are free. Of course, this will only work if there is a realistic prospect of enforcement against overseas companies, which requires the overseas regulators to be on board.
It is not all bad news for businesses though, there are some positives such as the time limit for reporting data breaches being extended to 72 hours, removal of a number of areas in which delegated acts could be made which gave the Commission the right to further change the rules (which should provide greater certainty in some areas) and further curtailments to the much debated right to be forgotten.
Still, all in all the proposal is a significant setback for business and drives yet another wedge between the US and EU on these issues, which--if the amendments are adopted--will make it harder for businesses to roll out a consistent business model and less likely that the US authorities will assist the EU in enforcement negating the practical effect of the extra-territorial jurisdiction.
What are the data breach risks that are of the most concern to the hospitality industry? What is the US Federal Trade Commission’s jurisdictional authority and what enforcement tools do they have available when it comes to data security? Learn more about these issues and other top data security matters affecting the hospitality industry in Latham & Watkins’ on-demand webcast. The webcast is moderated by Latham & Watkins partner Gary Axelrod, Co-chair of Latham’s Hospitality, Gaming and Leisure Industry Group, and features data protection and privacy partners Jennifer Archie, Kevin Boyle and Gail Crawford, who address:
- Data Breach Risks specific to the hospitality industry
- Enforcement and litigation risks and developments
- Breach response steps
- Incident response planning
- Trends and developments, including internet crimes, global notification considerations, foreign sovereign espionage and SEC Reporting
Read more about data risks and regulations in the hospitality industry in a Q&A with partners Kevin Boyle, Jennifer Archie and Gail Crawford.
By Tess Waldron
As has been widely reported, on 6 November 2012 the ICO fined Prudential £50,000 for what was described by the ICO’s head of enforcement, Stephen Eckersley, as a case that “would be considered farcical were it not for the serious sums of money involved”.
The breach originally occurred in 2007, when the records of two individuals with the same first name, surname and date of birth were erroneously merged, causing thousands of pounds meant for one individual’s retirement to end up in the wrong account. Despite the fact that the issue was brought to the attention of Prudential on more than one occasion, it took three years to remedy the situation, including a delay of six months following receipt of a letter from one of the customers involved pointing out that his address had not changed for 15 years. The ICO indicated that the penalty imposed related to this six-month period, during which the company “failed to investigate thoroughly”.
This decision is notable as it is one of the few times that a fine is imposed on the private sector and that an entity has received a penalty for anything other than data loss. However, it may well not be the last. As Mr Eckersley observed:
While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record … can have a significant impact on someone’s life. We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate.
In handing out this penalty the ICO has ensured that it is not just data losses that will be making headlines in the future (the story was one of the most-read items on BBC Business) and made it clear that fines may be imposed for other breaches of the Data Protection Act which cause significant harm.
This post was prepared with the assistance of Jaime Hall, a trainee solicitor in the London office of Latham & Watkins.
The purpose of this communication is to foster an open dialogue and not to establish firm policies or best practices. Needless to say, this is not a substitute for legal advice or reading the rules and regulations we have summarized. In any particular case, you should consult with lawyers at the firm with the most experience on the topic. Depending on your specific situation, answers other than those outlined in this blog may be appropriate. Your use of this blog site alone creates no attorney client relationship between you and Latham & Watkins. Do not include confidential information in comments or other feedback or messages left on the Global Privacy & Security Compliance Law Blog, as these are neither confidential nor secure methods of communicating with attorneys.