Posted in Privacy and Data Security Security Breaches US State Law

New Data Breach Notification Law in Nebraska

Written by Anne Kierig

An amendment to Nebraska’s data breach notification law, signed by the Governor earlier this month and effective July 20, 2016, makes key changes to the state’s notification regime.  First, the law expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer, that would permit access to an online account.”  Nebraska will be the fifth state, including California, Florida, Nevada, and Wyoming, to require notification in the event of a breach of account credentials.  The law also will require notice to the Nebraska Attorney General no later than the time notice is provided to Nebraska residents affected by a breach.  Finally, the law will exempt encrypted data (defined as data “converted by use of an algorithmic process . . . into a form in which the data is rendered unreadable or unusable without use of a confidential process or key”) from a notification exemption safe harbor “if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system.”  The Nebraska state legislature passed the bill, LB 835, unanimously.

Posted in Cybersecurity Mobile Privacy US Federal Law

FTC Mobile Health Apps Announcement Reinforces Likely Increased Scrutiny of Mobile Health Apps

Written by Peter McLaughlin and Michelle Anderson

The U.S. Federal Trade Commission (FTC) recently announced its creation of a Mobile Health Apps Interactive Tool, a web-based tool designed to help developers of mobile health (mHealth) applications understand which federal laws and regulations they should consider in developing their apps[1]. While the tool is helpful as a starting place for mHealth app developers to recognize basic issues regarding the applicability of select laws and regulations, developers should be cautious about relying exclusively on guidance resulting from the tool[2]. In addition to using the tool, developers should obtain detailed legal guidance regarding:

  1. Complex legal issues under the laws and regulations covered by the tool, such as whether the type of information collected by the app is “identifiable health information”; and
  2. Additional legal and regulatory obligations, such as those under state laws or international laws.

Mobile Health Interactive Tool

The tool guides developers through high-level questions about their app’s functionality, data collection, and services to users. Based on a developer’s responses, the tool provides guidance about which federal laws may apply to the app. The tool’s guidance covers the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetics Act, the FTC Act, and the FTC’s Health Breach Notification Rule and includes a Glossary with definitions of regulatory terms (e.g., medical device), as well as links to further guidance and other federal agency resources, such as OCR’s Health App Use Scenarios & HIPAA and discussion portal, as well as the FDA’s Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff.

For example, if a developer says:

  • Question 1: Yes, my app creates, receives, maintains, or transmits identifiable health information;
  • Question 2: No, the developer is not a health care provider or health plan;
  • Question 3: No, the app does not require a prescription to access the app; and
  • Question 4: Yes, the app is being developed on behalf of a HIPAA covered entity then
  • Answer: The tool says that the developer is “likely [] a HIPAA business associate, subject to the HIPAA Security Rule and specific provisions of the HIPAA Privacy and Breach Notification Rules” and provides an overview of the obligations under each of the HIPAA Rules. In this scenario, the tool also directs the developer to Question 5 to see if the FD&C Act also applies.

While the tool is helpful in identifying basic issues it only covers the abovementioned laws and regulations, it does not address complex issues under those laws and regulations. For example, it does not help a developer determine whether the information collected by the app is “identifiable health information.” Similarly, for a developer producing a health app directed toward consumers but with data accessible to healthcare providers, the analysis becomes more complicated. For example, if the app permits a connection with a healthcare professional’s systems, the extent of that connectedness can mean the difference between the application of HIPAA or the FTC’s consumer protection rules – and as recent FTC enforcement in the mHealth app space demonstrates, simply because an app may handle protected health information does not mean that the app is outside the FTC’s jurisdiction.

FTC Mobile Health App Best Practices

In conjunction with the release of the interactive tool, the FTC also released its own guidance, Mobile Health App Developers: FTC Best Practices. This guidance is aimed at helping developers understand their obligations under the FTC Act. For example, it recommends that developers provide “simple, clear, and direct” notice of their app’s privacy and security features, including providing “just in time” notice regarding the collection of sensitive or unexpected data (e.g., geolocation information) and explaining why certain information is being collect (e.g., collecting geolocation information in order to track the distance cycled if the app is a cycling app). The FTC also notes that certain information, such as dietary information or blood pressure readings, may require obtaining a user’s affirmative express consent prior to collecting or sharing the data. This mHealth app developers guidance draws on the FTC’s June 2015 Start with Security: A Guide for Business, which provided practical lessons that all businesses can learn from the FTC’s data security settlements under the FTC Act.

Increased Regulatory Activity Likely

It remains to be seen whether the FTC’s release of this tool and guidance is simply to provide resources to mHealth app developers – or whether the FTC will use this guidance to bring enforcement actions under its unfair and deceptive acts and practices powers. However, the release of this tool and guidance is part of a larger trend of increased regulatory activity within the health data security space, coming on the heels of the appointment of members to the Health Care Industry Cybersecurity Task Force, as required under the Cybersecurity Information Sharing Act of 2015; updated OCR audit protocols for HIPAA Phase 2 audits; and the release of OCR’s HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

[1] The tool was designed in collaboration with the U.S. Department of Health and Human Services (HHS), including the Office of the National Coordinator for Health Information Technology (ONC), the Office for Civil Rights (OCR), and the Food and Drug Administration (FDA).

[2] The FTC even included the following disclaimer on the tool’s website: “It’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.”

Posted in EU Data Protection International Privacy

Data Protection Working Party Announces decision to reject EU-US Privacy Shield

Written by Sydney White

On April 13, the Article 29 Data Protection Working Party announced a decision to reject the EU-US Privacy Shield agreement as drafted and requested changes based upon the following concerns, on which we provide some initial analysis.

  • The Privacy Shield lacks clarity due to its format (the European Commission adequacy decision and the numerous annexes make it difficult to navigate). It also contains some inconsistencies.
  • The Privacy Shield will need to be revisited after the General Data Protection Regulation comes into effect in 2018, most likely to further strengthen protections. This would be a major change in the text of the agreement.
  • Commercial aspects of European law are not adequately reflected in the Privacy Shield including the protections of the purpose limitation, data retention, individual decisions on automatic data processing. This too would be a major change.
  • Onward transfers from Privacy Shield entities will not be subject to consistent protections including on national security. As applied to transfers outside the US, this is not a major change in current EU standards.
  • There should be clarification of the new recourse procedures available to European citizens including a possible role for EU data protection authorities. If limited to funneling complaints to the FTC, this would not be a major change.
  • The Ombudsman established under the US State Department is not sufficiently independent and will not have adequate to authority to effectuate remedies. This could be addressed potentially by the Ombudsman in the FTC.

Significantly, the Statement emphasized that representations from the US Office of the Director of National Intelligence are inadequate with respect to “massive and indiscriminate surveillance of individuals” and consequently the Working Party will be looking to upcoming rulings by the EU Court of Justice on surveillance cases.

Although the Article 29 Working Party plays only an advisory role to the European Commission, we expect that the more specific recommendations in particular will be incorporated into the framework prior to final approval by EU authorities. Given European Summer holidays, this may not happen until September.

Posted in EU Data Protection International Privacy

EUROPE – US: EU Data Protection Authorities voice strong concerns about Privacy Shield

EU Data Protection Authorities demand improvements before EU – US transfer mechanism will be approved.

The Article 29 Working Party (“WP29“), which comprises the national data protection authorities of the EU member states, issued a statement on Wednesday strongly criticizing the draft “EU – US Privacy Shield” proposal. Privacy Shield is intended to be the replacement to the defunct Safe Harbor scheme, which allowed EU companies to legally export personal data to the US.

Whilst WP29 accepts that, in its current form, Privacy Shield represents a significant improvement over Safe Harbor, it believes it does not go far enough in offering EU citizens an adequate level of protection for their personal information. Crucially, WP29 considers that Privacy Shield does not sufficiently address the massive and indiscriminate collection of personal data by the US authorities which was the precipitating factor in the Schrems case which brought down Safe Harbor.

In summary, the specific criticisms voiced by WP29 are:

  • Lack of clarity – Privacy Shield is comprised of various documents and annexes, making information hard to find and at times inconsistent;
  • Lack of key data protection principles – some of the central principles of European data protection law, such as purpose limitation and data retention, are not sufficiently covered by the proposal;
  • Onward transfers – the proposal does not ensure that the same standards are applied by third country recipients who receive EU personal data from a Privacy Shield entity;
  • Complex redress mechanism – EU citizens may not be able to effectively defend their rights in the face of a complex recourse mechanism which for many will be in a different language;
  • Indiscriminate data collection – there is insufficient detail about how the massive and indiscriminate surveillance of individuals by US authorities will be curtailed. In WP29’s view, such surveillance can never be considered proportionate or necessary;
  • Ombudsperson not independent – WP29 welcomes the creation of an Ombudsperson role to handle and solve complaints raised by EU citizens. However, it is concerned that this role will not be sufficiently independent from US authorities.

The statement also concluded that, even if Privacy Shield is approved as an adequate mechanism for data transfers under current legislation, a review of its efficacy will be needed following the entry into application of the General Data Protection Regulation (“GDPR“) in 2018. This appears to be a strong hint from WP29 that in its current form, Privacy Shield would almost certainly not be GDPR compliant.

As the Privacy Shield proposal is still being finalized, WP29’s assessment is not fatal. However, it is a clear signal to the EU Commission and to their partners in the US that significant improvements are needed if the scheme is to earn the adequacy decision which will make it a legal mechanism for data transfers.In the meantime, WP29 has repeatedly stated that Binding Corporate Rules and the EC standard contractual clauses (or ‘model clauses’) can be relied upon for data transfers, and represent a safe alternative for former Safe Harbor companies. Although both of these schemes will be reviewed by WP29 in due course, it will not make any decision about them until after Privacy Shield has been dealt with.

If you need any assistance with the fast evolving area of EU – US data transfers, please contact a member of our global Data Protection, Privacy and Security team.

Posted in Telecoms

The future of spectrum

I attended a seminar on the future of spectrum this morning. I thought there were a few interesting points, with international elements, that would be worth sharing:

1. As consumers use more and more data on their mobile devices lack of capacity is increasingly becoming an issue, even with the benefits of 4G.

2. Spectrum will therefore become, if anything, even more important because using more spectrum increases capacity on a mobile network.

3. The other way to improve capacity is to build a more dense network – ie have more base stations and antennae. This is expensive, but then so is more spectrum!

4. Wifi is also important as a way of moving traffic from mobile to fixed networks.

5. The UK will, by 2020, have made more spectrum available for mobile use than just about any other country.

6. Newer technologies may facilitate dynamic sharing of spectrum between operators’ networks according to demand – though we are quite a few years away from being able to do this in real time.

7. It seems likely that quite a lot more spectrum will be made available worldwide in the medium term (c 5 years) but this will all be very high frequency (24 GHz+) – this means low propagation, so *much* more dense networks will be needed – antennae will need to be located in cities every 100m or so!

8. This means interference between networks will become more of a problem.

9. Site sharing (placing antennae from two networks on the same site) can help with interference problems because each can be planned knowing about the other.

I conclude from all this that (though these weren’t specifically mentioned in the seminar) : (i) When real-time dynamic sharing is possible this will facilitate whole new business models in the telecoms sector – eg a wholesale-only spectrum owner could automatically auction spectrum to the highest bidder in each area continuously, leading to much more efficient use; and (ii) “passive” (or site) sharing will become even more important in future.

We at DLA Piper have already been involved with several network sharing projects, so look forward to more!

Posted in Cybersecurity Internet of Things Privacy and Data Security US Federal Law

NTIA Seeks Comment on IoT Issues

The National Telecommunications and Information Administration (“NTIA”) has sought comment on a broad range of issues related to the advancement and regulation of the Internet of Things (“IoT”), including technological challenges/benefits of IoT, definitional issues, privacy, and cybersecurity related issues, among others. NTIA will use the information to produce a “green paper” in which it intends to identify potential benefits and challenges of the technologies and possible roles of the U.S. government in fostering the advancement of IoT technologies.

Among the broad range of inquiries, NTIA seeks comment on:

  • Novel technological challenges presented by IoT relative to existing technological infrastructure, devices, and policy issues
  • Definitional issues to be used in examining the IoT landscape
  • Do current and planned laws, regulations, and/or policies foster and/or hinder development and deployment of IoT
  • Role of the U.S. government in establishing policies and rules regarding IoT cybersecurity
  • Privacy considerations specific to IoT, how such considerations are different from other privacy considerations, and role of the U.S. government regarding policies, rules, and/or standards with regard to privacy and IoT.

Comments are due by 5:00 PM EST on May 23, 2016.

 

 

 

 

Posted in EU Data Protection Privacy and Data Security Technology and Commercial Uncategorized

EUROPE: The Applicability Of EU Data Protection Laws To Non-EU Businesses

Written by Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).

This article first appeared in E-Commerce Law and Policy – volume 18 issue 03 (March 2016).

On December 16, 2015, the Article 29 Data Protection Working Party (“WP29″) updated their Opinion 8/2010[1] on applicable law in light of the landmark decision Costeja v. Google[2] rendered by the Court of Justice of the European Union (“ECJ”) on May 13, 2014.

In a context where local data protection authorities are increasingly scrutinizing cross-border data processing operations, companies worldwide need to identify whether and which EU data protection law(s) apply to processing of personal data taking place wholly or partially outside the EU.

Yet the extent of the territorial scope of the Directive has always raised many questions. In 2010, the WP29 concluded in their Opinion 8/2010 that Article 4(1)(a) of the Data Protection Directive 94/46/EC[3] (“Directive”), which provides that a Member State’s data protection law shall apply to data processing “carried out in the context of the activities of an establishment of the controller on the territory of the Member State”, suggests a very broad scope of application.

The exact extent of application remained rather unclear despite the WP29’s guidelines until four years later when the question of whether EU data protection laws should apply to a business based and processing personal data outside the EU came up before the ECJ in the so-called “right to be forgotten” case, Costeja v. Google. In its judgment, the ECJ held that Spanish law applied to the personal data processing performed by the search engine operated by Google Inc., a US-based controller, on the ground that it was “inextricably linked to”, and therefore was carried out “in the context of the activities of” Google Spain, whose advertising and commercial activities constituted the “means of rendering the search engine at issue economically profitable”.

The WP29 have recently updated their 2010 opinion to take into account Costeja. According to the WP29, the implications of the judgment are very broad and should certainly not be limited to the question of determining applicable law in relation to the operation of the Google search engine in Spain. And indeed, Costeja confirms the broad territorial application of Article 4(1)(a) of the Directive that was espoused by the W29 in 2010. In this respect, the WP29 recall that the notion of establishment in itself must be interpreted broadly, in line with recital 19 of the Directive, which provides that the notion of “establishment (…) implies the effective and real exercise of activity through stable arrangements”[4], such as subsidiaries or branches for example. In Costeja, there was no doubt that Google Spain, the Google Inc. subsidiary responsible for promoting in Spain the sale of advertising space generated on the website google.com, fell under that definition. However, it was disputed whether the data processing in question, carried out exclusively by Google Inc. by operation of Google Search without any intervention on the part of Google Spain, was nevertheless carried out “in the context of the activities of” Google Spain.

The ECJ then introduced a new criterion: the “inextricable link” between the activities of a local establishment and the data processing activities of a non-EU data controller. As underlined by the WP29, the key point is that even if the local establishment is not involved in any direct way in the data processing, the activities of that establishment might still trigger the application of EU data protection laws to the non-EU controller, provided there is an “inextricable link” between the two.

What this “inextricable link” might be raises many questions. The WP29, while insisting on the importance of conducting a case-by-case analysis, considers that, depending on the role played by local establishments, non-EU companies offering free services within the EU, which are then financed by making use of the personal data collected from users, could also be subject to EU data protection laws. The same reasoning would apply, for example, to non-EU companies providing services in exchange for membership fees or subscriptions, where individuals may only access the services by subscribing and providing their personal data to the EU establishments.

The WP29 are careful to say that being part of a same group of companies is not in itself sufficient to establish the existence of an “inextricable link”, and that additional factors are necessary, such as promotion and sale of advertising space or revenue-raising, irrespective of whether such proceeds are used to fund the data processing operations in the EU. But because the examples provided by the WP29 are almost solely based on revenue flow as the source of the “inextricable link”, it is difficult to conceive of what type of multinational will not have such an “inextricable link” between the activities of a subsidiary (let alone a branch) in the EU and a parent company outside the EU. The long arm of the Directive is in effect stretched even further.

Will this criterion still be relevant when the General Data Protection Regulation[5] (“GDPR”) applies, likely by July 2018? Certainly, insofar as article 3(1) provides that the GDPR applies “to the processing of personal data in the context of the activities of an establishment of a controller… in the Union”. But the GDPR goes much farther: not only does it consecrate Costeja by specifying that the GDPR applies “regardless of whether the processing takes place in the Union”, it also applies to processing in the context of the activities of an establishment of a processor in the EU, even if the processing occurs outside the EU. Moreover, relying more explicitly on the “effect principle”, article 3(2) of the GDPR further extends the territorial scope of EU data protection law to any data controller based outside the EU that either: (i) offers goods or services to EU residents; or (ii) monitors the behaviour of EU residents.

Another important aspect the WP29 infer from the Costeja decision concerns the applicable law where a business has multiple establishments in the EU, with a designated “EU headquarters”, and this establishment alone carries out the functions of a data controller in relation with the processing operations in question. The WP29 note that, although the Court did not directly address this question, neither did it distinguish its ruling according to whether or not there is an EU establishment acting as a data controller or being otherwise involved in the processing activities. For the WP29, this means that where there is an “inextricable link”, several national laws may apply to the activities of a business having several establishments in different Member States, regardless of whether one of them qualifies as data controller in respect of the processing in question. This position goes beyond the plain meaning of article 4(a) of the Directive, which provides that “when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”.[6]

In conclusion, although the WP29’s recent update provides some useful illustrations to help businesses determine whether they should comply with EU data protection law, it does not clarify its exact scope. In particular, WP29’s analysis mostly focuses on websites where data subjects have a connection with one EU establishment, leaving aside other scenarios, such as when data subjects have absolutely no connection with any EU establishment. And the question of how are companies to deal with conflicts of laws remains unanswered. The discussions over these questions promise to be challenging, even more so now with the prospect of the application of the GDPR.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] WP29, Opinion 8/2010 on applicable law, December 16, 2010.

[2] Case C-121/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014.

[3] Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[4] Recital 19 of the Directive.

[5] COM/2010/2011 final, Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] The recitals of the Directive are admittedly puzzling. Recital (18) states that any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States and processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State. But recital (19) provides that if a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure that each of the establishments fulfils the obligations imposed by the national law applicable to its activities – thereby vitiating the entire concept of separate legal personality, and failing to denote whether those subsidiaries are to be considered controllers or processors.

Posted in EU Data Protection

MATERIALS NOW AVAILABLE ON DEMAND – From Safe Harbor to Privacy Shield: What Now?

We are pleased to offer materials from our March 7 webinar.

The EU announced last month that the negotiations to create a new framework permitting data transfers between Europe and the US have concluded, and the new framework has been agreed. The Privacy Shield text and supporting materials have also been released. The new program, Privacy Shield, sets forth more detailed privacy principles, provides for increased oversight and enforcement, and includes a new arbitration component for dispute resolution.

In our webinar, attorneys from DLA Piper’s Data Protection, Privacy and Security practice discussed the implications of this new agreement and what will happen next.

SPEAKERS:
Andrew Dyson, Partner, DLA Piper, London
Jennifer Kashatus, Partner, DLA Piper, Washington, DC
Kate Lucente, Associate, DLA Piper, Seattle

LINK TO MATERIALS.

FOR MORE INFORMATION
Please contact Venus Figueroa: venus.figueroa@dlapiper.com

LexBlog