The Federal Communications Commission issued an order on Wednesday, November 14, 2018, eliminating the “Solicited Fax Rule”—a blanket requirement created by the FCC in 2006 requiring senders of facsimile advertisements to include opt-out information on every facsimile, even if the recipient technically “solicited” the advertisement. This order came in (somewhat-delayed) response to the 2017 D.C. Circuit Court of Appeals opinion Bais Yaakov of Spring Valley v. FCC—authored by then-Judge/now-Justice Brett Kavanaugh—which held that imposing such a requirement exceeded the authority given to the FCC by the 2005 Junk Fax Prevention Act. The order explicitly renders moot all pending petitions for retroactive waiver of the Solicited Fax Rule, and has the added effect of resolving any remaining circuit splits on the issue.
Effective January 1, 2020, a new game-changing privacy law will go into effect in California: the California Consumer Privacy Act of 2018 (CCPA). The law will have profound implications for companies that collect personal information, as that term is broadly defined, about California consumers, even if the Company is not based in California. For many companies, compliance with the law will require substantial implementation time, not only to address the legal issues but also to implement any operational changes that may be necessary for your company to be able to meet the requirements with the law. We often are asked whether applying an EU-like GDPR compliance program to California residents will be sufficient to address CCPA. There are substantial differences between GDPR and CCPA, such that compliance with GDPR will not cover all of the CCPA requirements. To this end, we have prepared an overview of the CCPA as well as a brief comparison of key individual rights under GDPR as compared with CCPA.
This blog piece sets out an overview of the regulation of broadband networks in the UK, both now and in the future. As can be seen from the (very recent) dates on the various document referred-to, this is an area which is changing rapidly at the moment, and is a strong focus of both regulatory and of governmental attention.
The basic principles of telecoms regulation in the UK are that no access regulations will be imposed on any provider of electronic communications networks or services unless they have been determined to have “significant market power” (or SMP) in the relevant market, following a detailed market review and consultation. In the UK (aside from in the Hull area), as relevant to fibre, the only company with SMP in any part of any market is Openreach (owned by BT but structurally separated from it).
This means that in some cases Openreach is obliged by OFCOM to offer certain wholesale broadband products on regulated terms. In those cases, then, OFCOM’s regulations can have an impact both on the wholesale fibre broadband market and also, indirectly, on the prevailing retail prices that any ISP is able to achieve. In setting regulated wholesale prices OFCOM recognises that competing providers will only invest in building their own networks if this is more attractive than buying wholesale services from BT, and so the price of wholesale services, where they are regulated, must be set in such a way as to balance the incentives to invest in new networks (which would suggest higher wholesale prices) with the risk of harm to consumers through consequentially higher retail prices in the shorter-term. Continue Reading
Anthem, Inc. has agreed to pay a record-setting $16 million to the US Department of Health and Human Services’ Office for Civil Rights (OCR) to settle alleged HIPAA violations in connection with Anthem’s 2015 health data breach that affected almost 79 million people. In addition to the settlement amount, Anthem agreed to a substantial Corrective Action Plan (CAP) to comply with HIPAA.
The $16 million settlement is nearly three times the previous record of $5.55 million. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.
The breach occurred when hackers gained access to Anthem’s IT systems after an employee from one of Anthem’s subsidiaries opened a spear phishing email deployed by the hackers. From December 2, 2014 to January 27, 2015, the hackers stole the electronic Protected Health Information (ePHI) of nearly 79 million people, including their names, social security numbers and dates of birth.
In response to media reports of the breach and information on Anthem’s website concerning the incident, OCR initiated a compliance review of Anthem. In addition to the impermissible disclosure of ePHI, OCR’s investigation found that Anthem allegedly failed to conduct an enterprise-wide risk analysis, did not regularly review information system activity, failed to identify and detect security incidents and failed to implement sufficient minimum access controls.
The settlement with Anthem is notable in several respects. First, the size of the settlement amount is far greater than in previous settlements. Second, the settlement appears to target Anthem’s role as a business associate to Anthem Affiliated Covered Entities (ACE). This makes Anthem the third OCR settlement with a HIPAA business associate. Third, as part of the CAP, Anthem agreed to establish policies and procedures “to address access between Anthem systems containing ePHI, such as network or portal segmentation, and provisions to enforce password management requirements, such as password age.” This aspect of the CAP is significant given that neither HIPAA regulations nor guidance expressly require network segmentation. That said, adopting such policies and procedures is a good practice and helps to thwart the common hacker tactic of stealing administrator privileges and then using those credentials to move laterally across a network.
OCR’s findings are in sharp contrast to the results of a national investigation into the same breach that was led by seven state insurance commissioners. That investigation, the results of which were released in January 2017, found that Anthem took reasonable measures to protect its data prior to the breach. Anthem reportedly paid more than $260 million dollars for security improvements and remedial actions in response to the breach, which appeared to be a factor in the decision of those state insurance commissioners not to impose administrative fines or sanctions.
The Anthem settlement pushes the total amount of fines for HIPAA violations in 2018 to almost $25 million − also a new record. However, it is yet to be seen whether this settlement signals higher settlements in HIPAA enforcement actions generally, or should be attributed solely to the large number of affected individuals.
A clear message
The settlement should be viewed as a clear message that OCR will continue to enforce HIPAA vigorously in the Trump era.
To avoid potentially large fines resulting from a HIPAA violation, covered entities and business associates should assess their privacy and security programs and regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports. These entities should conduct a HIPAA risk assessment, which is a comprehensive assessment of risks to ePHI, as required under the Security Rule. Risk assessments, which are an essential step in managing cyber-risk, take time to perform, as evident from the seven months that Anthem was given by the CAP to provide a risk assessment.
With 24 OCR settlements to date against companies for failing to conduct an accurate and thorough risk assessment under HIPAA, OCR has made it clear that inaction on risk assessments will result in an enforcement action.
Learn more about this settlement and its implications by contacting either of the authors.
Written by Mohamed Toorani and Eamon Holley
On 12 July 2018, the Kingdom of Bahrain (Bahrain) issued Law No. 30 of 2018 on the Personal Data Protection Law (PDPL). The PDPL will enter into force on 1 August 2019, giving businesses just under one year from the date of this article to prepare for the new regime.
The PDPL will be a paradigm shift for how business is done in Bahrain. It will provide individuals with rights in relation to how their personal data can be collected, processed and stored. Conversely, it will impose new obligations on how businesses manage this, including ensuring that personal data is processed fairly, that data owners (often referred to as “data subjects” in other data protection laws) are notified of when their personal data is collected and processed and that data owners can exercise their rights directly with the businesses.
The PDPL also imposes new obligations upon businesses to ensure that the personal data they collect is kept secure.
The PDPL will set up a new authority, known as the Personal Data Protection Authority (Authority). This Authority has the power to investigate allegations of violations of the PDPL either by itself, at the request of the responsible Minister, or in response to a complaint.
The Authority can issue orders to stop violations, including issuing emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data manager (often referred to as a “data controller” in other data protection laws), or violating the provisions of the PDPL by a business’s data protection supervisor (often referred to as a “data protection officer” in other data protection laws). Finally, the most concerning feature of this law for businesses is that the PDPL carries criminal penalties for violations of certain provisions.
While the PDPL can be compared to laws such as the European Union’s General Data Protection Regulation (GDPR), there are important differences that need to be considered. Businesses operating in Bahrain that have recently implemented a GDPR compliance program will still need to pay close attention to these differences and should be aware of the new obligations in the PDPL.
In this article we review some of the main features of this new law.
The PDPL applies to:
- Individuals normally residing or having a workplace in Bahrain
- Businesses with a place of business in Bahrain; and
- Individuals not normally residing or having a workplace in Bahrain, and businesses not having a place of business in Bahrain, but processing personal data by using means available in Bahrain, unless the use of such processing means are solely for the purpose of passing data through Bahrain without any other purpose
In the last scenario, each business must appoint a local representative in Bahrain to carry out its obligations and notify the Authority of that appointment. The PDPL will therefore have extra-territorial effect. If an individual or business not in Bahrain is processing personal data within Bahrain through means such as their appointed local representatives, the PDPL would apply.
Personal data is defined as any information of any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical, physiological, intellectual, cultural or economic characteristics or social identity.
Sensitive personal data is a subset of personal data. It is personal data which reveals, directly or indirectly, the individual’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life. Sensitive personal data requires more rigorous treatment by data managers.
Processing is defined as any operation or set of operations carried out on personal data by automated or non-automated means, such as collecting, recording, organising, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.
Like the GDPR, the PDPL requires that personal data:
- Is processed fairly and legitimately
- Is collected for a legitimate, specific and clear purpose
- Is sufficient, relevant and not excessive for the purpose of the data’s collection or for the purpose for which subsequent processing is carried out
- Is correct and accurate, and subject to updates whenever necessary; and
- Shall not remain in a form allowing identification of the data owner after meeting the purpose of its collection or for the purpose for which subsequent processing is carried out. The PDPL does allow the storage of anonymised data for a longer time for historical, statistical or scientific research purposes
Processing of personal data can only occur with the consent of the data owner, unless the processing is necessary:
- To implement a contract to which the data owner is a party
- To take steps at the request of the data owner to conclude a contract
- To implement an obligation required by law, contrary to a contractual obligation or an order from a competent court
- To protect the vital interests of the data owner; or
- To exercise the legitimate interests of the data manager or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data owner
Processing of sensitive personal data is also prohibited without the consent of the data owner, unless one of the exceptions in Article 5 of the PDPL apply.
However, it is prohibited for data managers to process the following personal data types without the prior written authorisation of the Authority:
- Automatic processing of sensitive personal data of persons who cannot provide consent
- Automatic processing of biometric data
- Automatic processing of genetic data (except for treatment provided by physicians and specialists at a licensed medical establishment, where the treatment is necessary for purposes of preventative medicine or diagnostic medicine, or for the provision of treatment or healthcare)
- Automatic processing that entails the connection of personal data files that are in the possession of two or more data managers that are processing personal data for different purposes; and
- Processing that consists of visual recording to be used for monitoring purposes
Like the GDPR, the PDPL has specific requirements about how consent must be given. For consent to be valid it must be:
- Issued by an individual of full eligibility
- Written, explicit and clear; and
- Issued based upon the data owner’s free will and consent, after being fully informed about the purposes of the processing of their personal data
The data owner has a right to withdraw consent at any time. The Authority’s Board of Directors must issue a resolution outlining these procedures for withdrawing consent and the data manager’s decision on requests for withdrawal of consent.
RIGHTS OF DATA OWNER
The PDPL introduces several concepts that data managers will need to become very familiar with. Again, those familiar with the GDPR will see similarities here with the GDPR’s data subject rights.
Where the data is collected, directly or indirectly, from the data owner, the data manager at the time of registering such data, must notify the data owner of the following information:
- The full name of the data manager, their field of activity or profession and address
- The purpose for which the data is to be processed
- Names or categories of the recipients of the data
- Details about the data owner’s rights in respect of the data; and
- Whether the data will be used for direct marketing
This notification is important, because it alerts data owners of their rights regarding their personal data. These rights include:
- To be notified of when their data is being processed
- To object to direct marketing
- To object to processing that causes harm or distress to data owner or others
- To object to decisions made based upon automated processing; and
- To rectify, block or erase personal data in certain circumstances
The PDPL requires that data managers apply technical and organizational measures capable of protecting the data against unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of processing.
The PDPL requires that the Authority’s Board of Directors issues a decision specifying the terms and conditions that the technical and organizational measures must satisfy. The decision may require specific activities by applying special security requirements when processing personal data.
Data managers must also use data processors who will provide sufficient guarantees about applying the technical and organizational measures that must be adhered to when processing the data. Data managers must also take reasonable steps to verify that data processors comply with these measures.
Interestingly, there is no mandatory data breach notification provision in the PDPL requiring the data managers to notify the Authority or data owner in the event that there is a breach of personal data held by the data manager.
TRANSFERS OF PERSONAL DATA OUTSIDE OF BAHRAIN
Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data. Those countries need to be listed by the Authority and published in the Official Gazette.
Data managers can also transfer personal data to countries that are not determined to have sufficient protection of personal data where:
- The data owner has consented to the transfer
- The data is from a public register
- The transfer is necessary for:
- Executing a contract between the data owner and data manager, or taking preceding steps at the data owner’s request for the purpose of concluding the contract
- Executing or concluding a contract between the data manager and a third party for the benefit of the data owner
- Protecting the data owner’s vital interests
- Fulfilling a non-contractual obligation imposed by law, or an order of the court, public prosecution, an investigating judge or military prosecution; or
- Preparing, executing or defending a legal claim
Transfers can also be made with the permission of the Authority, issued on a case-by-case basis, if it deems that the data will be sufficiently protected.
APPOINTMENT OF A DATA PROTECTION SUPERVISOR
Data managers may voluntarily appoint a data protection supervisor. The Authority’s Board of Directors may also issue a decision requiring specific categories of data managers to appoint data protection supervisors. However, in all instances, the data manager must notify the Authority of such an appointment within three (3) days of its occurrence.
A data protection supervisor must help the data manager in exercising its rights and fulfilling its obligations prescribed under the PDPL. The data protection supervisor also has a number of other roles, including liaising with the Authority, verifying that personal data is processed in accordance with the PDPL, notifying the Authority of any violations of the PDPL that the supervisor becomes aware of and maintaining a register of processing operations that the data manager must notify the Authority about.
The Authority must create a register of data protection supervisors. To be accredited as a data protection supervisor, an individual must be registered in that register.
ORDERS, CIVIL, COMPENSATION AND CRIMINAL PENALTIES
The Authority can issue orders to stop violations, including emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data manager, or arising from the data protection supervisor’s violation of the PDPL. Appeals can be made against decisions of the Authority.
Finally, the PDPL also carries a range of criminal penalties and administrative fines for violating certain provisions.
Criminal penalties of imprisonment of not more than one (1) year and/or a fine between BHD 1,000 (circa US$ 2,645) to BHD 20,000 (circa US$ 52,910), can be issued against any individual who:
- Processes sensitive personal data in violation of the PDPL
- Transfers personal data outside Bahrain to a country or region in violation of the PDPL
- Processes personal data without notifying the Authority
- Fails to notify the Authority of any change made to the data of which they have notified the Authority
- Processes certain personal data without prior authorization from the Authority
- Submits to the Authority or the data owner false or misleading data to the contrary of what is established in the records, data or documents available at their disposal
- Withholds from the Authority any data, information, records or documents which they should provide to the Authority or enable it to review them in order to perform its missions specified under the PDPL
- Causes to hinder or suspend the work of the Authority’s inspectors or any investigation which the Authority is going to make; and/or
- Discloses any data or information which he is allowed to have access to due to his job or which he used for his own benefit or for the benefit of others unreasonably and in violation of the provisions of the PDPL
Businesses that have already implemented a data protection compliance program under the GDPR may have developed some of the infrastructure that will apply under the PDPL; however compliance with the GDPR will not guarantee compliance with the PDPL. For example, businesses that are data managers will need to:
- Recognise the right of Bahraini data owners to object to processing of personal data that causes harm or distress to the data owner or another person (this is not a data subject right found in the GPDR)
- Notify the Authority of their processing; and
- Obtain prior written approval of the Authority to process certain types of personal data (this is not found in the GDPR)
Finally, the risk of criminal penalties is a risk that is not found in the GDPR (although it is possible that Member States of the European Union may have specific laws that may be similar).
As a first step, a business will need to determine if its activities mean that it falls within the definitions of data manager. If it does, then it will need to determine what sort of personal data it is collecting, from who, and for what purposes. Data managers need to ensure that they are collecting and processing personal data and, in particular, sensitive personal data, in accordance with the PDPL, including notifying the Authority of their processing activities, or preparing submissions for permission to process certain types of personal data.
DLA Piper’s Middle East data protection team has deep experience in assisting clients in assessing their data protection compliance risks, and developing remediation and compliance programs.
Although the PDPL will become effective on 1 August 2019, our experience with the GDPR has shown us that data mapping exercises are often complex and resource intensive exercises. Early preparation for commencement of the PDPL will pay off in the longer term.
Italian privacy law integrating the GDPR is finally in place, but a number of provisions remain unclear, but need immediate action. Continue Reading
As we look around in the mid part of 2018, the outsourcing industry is in something of a state of flux. There are certainly plenty of challenges. In the UK at least (and particularly vis-à-vis the public sector), a harsh spotlight is being shone on outsourcing. Similarly, the wider global movement towards protectionism and national insularity is also affecting outsourcing (with visas for workers becoming ever more difficult to come by). The technical foundations for many outsourced services have also shifted, with automation and AI making far-reaching changes to the mode of service delivery, and cloud-based offerings increasingly competing with more traditional managed service models.
On a more positive note (and it is good to keep a sense of balance!), the capabilities of these new technologies are also opening new doors and making outsourcing viable in relation to organizations and types of services which previously might not have been considered as potential outsourcing candidates. At the same time, the potential returns are increasing for providers and customers alike; the scope of BPO offerings continues to expand, and there are more geographic options available than ever before (not just because of the growth of service capabilities in places like South Africa, but also because the move towards digital rather than carbon labor means that labor arbitrage – and the bias toward such locations as the Philippines or India – is less of a factor than it used to be.
At the same time, we are seeing some interesting challenges in the negotiation of contract terms for such deals.
Perhaps the most obvious candidate is the apportionment of responsibility and risk associated with data and data privacy. This is at its most acute in the EU owing to the arrival of the General Data Protection Regulation (GDPR) and its much publicized 4 percent/2 percent of global turnover fines. It would be a mistake to consider just the GDPR: laws and regulations around cybersecurity and protection of both personal and non-personal data are also high on the scale as board-level concerns. We are seeing far greater levels of attention being given to data breaches that attack prominent companies, and inevitably such breaches make people ask who has the means to help guard against such breaches, and who should bear responsibility if they arise.
This is a particularly difficult issue, because no system is ever 100 percent secure. Unfortunately, during such a stressful time, hindsight has its attractions; it is easy to look back and claim that if a breach of security occurred, then the steps taken to prevent it must have been defective or insufficient.
While customers are looking to raise their levels of protection in this regard (eg, arguing for unlimited liability, and potentially on an indemnity basis), the service provider community has understandably been moving in the opposite direction. Even though data protection losses might historically have featured in some of the lists of unlimited liabilities, they now tend to be either lumped with the more general limit of liability, or (more frequently) proposed to be subject to a separate data-specific cap.
There are a number of aspects of this separate cap which remain to be worked out in terms of what might ultimately become a market norm, including:
- How does the cap deal with other interlinked liabilities (eg, does it cover just claims from data protection regulators, claims from data subjects, internal rectification and remediation costs? Does it cut across the confidentiality obligations? And does it cover solely personal data, or other data related liabilities as well?)|
- What should the cap’s quantum be? Is it to be set as an absolute figure, or by reference to some multiple of the contract charges?
- Would the cap then be separate and free standing, or operate as an uplift to the normal limit of liability, which would have to be exhausted first?
Another key challenge: the impact of the cloud, not so much in terms of cloud offerings taking the place of traditional outsourcing arrangements, but more in the context of the use of cloud-based services as part of the supply chain (such as where an outsourced service provider uses the services of a third party to provide IaaS or PaaS capacity and flexibility as part of the foundation for the end-to-end outsourced service).
The issue in this regard is that the providers of such services – and they are becoming ever more prominent and powerful – tend to be very restrictive in their contract terms, not just regarding liability-related provisions such as limits of liabilities, warranties and service levels (on which an outsource service provider could in any event take a view as to what degree of “prime contractor risk” it is willing to bear), but also regarding the kinds of provisions that the outsource service provider might actually need to flow down, if it is to be able to strictly comply with its own obligations to its end customer (with audit rights being a particular example).
We increasingly see outsource service providers trying to limit their liabilities and obligations in this regard to apply only to the extent that they have in fact been able to flow them down to the relevant cloud provider. This is clearly a somewhat unpalatable position for the customer. Resolving the related negotiations will be a matter of bargaining leverage as opposed to whether one party is “right” or “wrong” regarding the way the issue should be addressed. This trend, however, also is giving rise to an increase in more multi-source style arrangements, whereby the customer itself may enter into the contract with the cloud service provider rather than having the main outsource service provider acting as prime contractor in relation to those services (ie, on the principle that if the customer gets no additional contractual benefit from having the outsource service provider in the contract chain, it might as well retain the flexibility of having a direct link to the cloud provider and also avoid any potential margin on costs that the outsource service provider might otherwise have levied).
And so we come to liability provisions. From one point of view, and with the possible exception of data-related liabilities as referred to earlier, one could argue that there is no particular reason why the contractual approach to liability provisions in outsourcing agreements should be subject to any substantial revisionist thinking. However, there are solid reasons why one should keep an open mind in this regard. After all, the setting of liability limits has historically always been (at heart) about balancing risk and reward, and that balance is certainly shifting, not least in the light of some of the factors mentioned in this post. Just as outsource service providers might be looking to reduce or limit more of their potential liabilities, sophisticated customers are also reviewing their approaches. Blanket exclusions of loss of profit, for example, while still very common, are more often challenged. Customers with operations in both civil and common law jurisdictions are also inclined to ask why they can potentially recover uncapped liabilities when due to “gross negligence” in one country, but not another, even though the services are the same and are even potentially provided by the same supplier. As a further step, one might imagine that a similar challenge might be made in respect of absolute exclusions of indirect loss (a common law concept which is not similarly viewed in civil law jurisdictions).
So, this is all good news for those of us engaged in the negotiation of outsourcing contracts (for both supply and buy sides) – after all, coming up with solutions for new problems and challenges is how we keep our minds young!
The board of the Ministries approved the final text of Italian privacy law integrating the GDPR raising major concerns on the scope of the law. Continue Reading
On 17 July 2018 the European Union and Japan agreed to recognize each other’s data protection systems as ‘equivalent’ and to adopt reciprocal adequacy decisions.
What is an adequacy decision?
An adequacy decision is a decision establishing that a third country provides a comparable level of protection of personal data to that in the European Union. As a result, personal data can flow from the European Economic Area (EEA) (the 28 EU Member States as well Norway, Liechtenstein and Iceland) to that third country without being subject to any further safeguards or authorizations.
Adequacy decision is one of the tools provided for under the General Data Protection Regulation to transfer personal data from the EU to third countries.
What does it mean for business?
**NOTE – THERE IS AN UPDATED VERSION OF THIS NOTE HERE **
The new European Communications Code (the “Code” – which we have blogged about here) will introduce a mechanism allowing investments in fibre networks made by operators with significant market power (SMP), in some circumstances, to be excluded from the normal access rules that are usually imposed by national regulatory authorities (NRAs). This blog piece will discuss this further and look at some possible models that could qualify for the exemption before concluding with some comments critiquing this new approach on the basis of its deviation from the well-respected (and broadly successful) approach that would otherwise have applied. For the reasons explained below the new rules could even act as a disincentive to new investment over the next two (plus) years.
The Exemption – Commitments and the “cumulative conditions”.
The rules on co-investment are contained at Article 74 of the Code. The latest (through not-necessarily final) draft says that:
Undertakings that have been designated as having SMP may offer “commitments” to open the deployment of a new very high capacity network (that consists of optical fibre elements up to the end-user premises or base station) to co-investment.
The first point to note, then, is that this applies only to optical fibre and would not apply to other technologies (such as satellite) irrespective of their merits. This is of course a deviation from the normal principles of technology-neutrality that usually govern EU telecoms regulation.