Safety of US-EU Safe Harbor Given Boost

This post was written by Cynthia O'Donoghue.

Following months of uncertainty about the future of the EU-U.S. Safe Harbor Framework, political leaders from the EU and the United States reiterated their commitment to the regime in a joint statement issued 26 March (the Statement).

EU-U.S. Safe Harbor is designed to essentially transpose EU data protection law into U.S. law so that organisations certified to the program are deemed to adequately protect personal data transferred from the EU to them in the United States. 

The future of the Safe Harbor regime was cast into doubt last year, following Edward Snowden’s revelations about the extent of NSA information gathering. In November 2013, the European Commission released a Strategy Paper which noted that “the current implementation of Safe Harbor cannot be maintained.” In particular, the paper pointed to shortcomings in transparency, enforcement and the use of the national security exception.

The situation became worse at the beginning of last month when a resolution of the EU Parliament drastically called for the “immediate suspension” of the Safe Harbor regime on the ground that it provides an insufficient level of protection to EU citizens.

The Statement is the latest development in the saga, with officials pledging to maintain the Safe Harbor framework subject to a commitment to strengthening it “in a comprehensive manner by summer 2014”. This demonstrates a slightly more diplomatic approach, which should be reassuring to businesses that currently rely on the Safe Harbor exception.

The Statement also confirms the commitment of the EU to introducing a new “umbrella agreement” for the transfer and processing of data in the context of police and judicial proceedings. The aim of this agreement is to provide citizens with the same level of protection on both sides of the Atlantic, with judicial redress mechanisms open to EU citizens who are not resident in the United States. Negotiations around this agreement commenced in March 2011, and are still on-going.

State Attorneys General Maintain Sharp Focus on Privacy

This post was written by Mark S. Melodia and Christine E. Nielsen.

Though the National Association of Attorneys General (NAAG) Presidential Initiative “Privacy in a Digital Age” expired in June 2013 when a new NAAG president took over, the state attorneys general have maintained their sharp focus on all things privacy, with no signs that that focus will shift anytime soon. Most recent case in point: a $17 million settlement with Google related to Google’s use of tracking cookies on Safari browsers. 

On November 18, 37 states and the District of Columbia announced the settlement with Google, which resolves an investigation that began in February 2012. Default settings on Apple’s Safari browser do not allow for tracking across different websites.  The investigation centered on whether Google tricked the browser into allowing such tracking, ostensibly in contradiction to the user’s choice not to be tracked. Google faced similar scrutiny from the FTC, which entered into a $22.5 million settlement with the search engine giant late last year.

In addition to the $17 million payment, the state AG settlement prohibits Google, without the express consent of an individual user, from overriding that user’s Internet browser’s setting to block tracking cookies. Google is also prohibited from misrepresenting the extent to which a user can manage how Google serves advertisements. Google must create and maintain a page that informs users about cookies, Google’s use of cookies, and user control over cookies.  This separate “Cookie Page” must be maintained for five years.

Privacy investigations and enforcement actions are not just handled through the multistate vehicle; individual states are pursuing their own actions, scrutinizing website and mobile app privacy policies, investigating data security breaches, and paying close attention to how entities treat sensitive data like children’s information and health information. For example, California has been particularly active in this area, releasing mobile app best practices guidance earlier this year, which followed on the heels of enforcement actions filed against mobile application developers for alleged non-compliance with California’s privacy policy requirements.
Several states have also flexed their muscles in the health care arena, enforcing data breach notification requirements for the loss of protected health information under the Health Insurance Portability and Accountability Act (HIPAA). Connecticut led the charge in 2010, exercising the new enforcement authority granted to the states under the HITECH Act, with a lawsuit against Health Net. In 2012, both Massachusetts and Minnesota entered the arena with investigations of their own. With this year’s release of final rules under HITECH and a renewed national focus on health care, we wouldn’t be surprised to hear about more states jumping into that privacy arena soon.

Awaiting the Release of the HITECH Final Rule

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

As the year is coming to an end, the industry is speculating the release date of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) final rule. The final rule is expected to address modifications to the Privacy, Security, Enforcement, and Breach Notification Rules, and with the release date yet to be determined, it is important for Covered Entities and Business Associates to be prepared for the upcoming changes.

Please click here for a more detailed analysis on our sister blog, Life Sciences Legal Update.

UK Information Commissioner's Office Issues Cloud Guidance

This post was written by Cynthia O'Donoghue.

With a need for mobile access to data and the influx of innovative and affordable cloud computing products to global markets, organisations are shifting towards a greater use of the cloud. In response to its growing popularity, the Information Commissioner’s Office (ICO) has published guidelines on data protection compliance issues surrounding cloud computing. The practical guidelines not only provide a high-level analysis of how to apply data protection rules to cloud contracts, but also consider the various issues surrounding migration to the cloud and provide a checklist for those organisations adopting cloud services.

The distinction between data controller and data processor is of critical importance to data protection and can be complex in relation to cloud computing. The ICO helps navigate this issue by demonstrating data controller and processor roles in various scenarios. The cloud customer is generally considered the data controller as it determines the purposes and the manner in which any personal data are being processed. The ICO suggests that the precise role of the organisation that owns and operates the cloud service (“Cloud Provider”) should be reviewed in each case in order to determine whether or not it is processing personal data.

Data controllers, to remain compliant with the UK Data Protection Act, must consider the following key areas:

  • Security
    • Assess personal data and the risk to that data by putting it into the cloud.
    • Obtain sufficient guarantees from the cloud provider about security measures. The ICO supports the use of industry-recognised standards.
    • Protect personal data in transit through use of encryption, especially where sensitive data is being processed.
    • Ensure measures are in place to prevent unauthorised access, including individual usernames and passwords for each cloud user.
    •  Institute a continual cycle of monitoring, review and assessment of the cloud provider’s security controls.
  • Data Retention and Deletion
    • As most cloud providers are likely to have multiple copies of data stored in various locations for disaster recovery, cloud customers should ensure that all copies of personal data no longer required can be securely and timely deleted.
  • Audit
    • If it is not possible to obtain audit rights because of shared cloud services, the ICO recommends an independent third party to avoid the need for each customer to conduct a separate audit.
    • The cloud provider should only be permitted to process personal data for specified purposes and not without the agreement of the cloud customer.
  • Data Transfer
    • Cloud servers may be located outside the UK which can make it difficult to establish where data is being processed. The cloud customer should therefore request from the cloud provider a list of countries where data will be processed and the safeguards in place in each location. Furthermore, the cloud provider should explain when data will be transferred to the locations.

The ICO recognizes the benefit of cloud computing and this new guidance contains pragmatic suggestions to assist organizations in conducting due diligence on a cloud supplier, and in ensuring data protection compliance.

Obama Administration Finalizes Its Privacy Framework: DOC Steams Ahead with Privacy Regulatory Blueprint in the Absence of Federal Privacy Legislation

This post was written by Paul Bond, Judith L. Harris, John P. Feldman, Christopher G. Cwalina and Amy S. Mushahwar.

Today, in a ceremony with much fanfare, Secretary of Commerce John Bryson and Federal Trade Commission Chairman John Liebowitz outlined the Obama administration's privacy blueprint for a "consumer bill of rights." Shortly thereafter, the Department of Commerce released its long-awaited consumer privacy green paper entitled,"Consumer Data Privacy in a Networked World" (the "Final Report"), which follows up on a draft staff report issued well over a year ago [see our previous post, Privacy: A Washington Tale of Two Reports].

Like the previous draft, the Final Report calls for a comprehensive privacy framework for all data, instead of the current sector-specific approach to data protection that leaves some personal data (outside of the communications, health care, education, financial services and children's-online sectors) largely unregulated. The Final Report calls for federal legislation to create such a "privacy bill of rights" that would supplement and fill in the gaps of existing federal privacy policy. However, scores of privacy bills have been introduced in 2010, 2011 and 2012, and few expect a comprehensive privacy bill to pass during a bitter election year.

Knowing that privacy legislation will be difficult to pass this year, the administration also laid out a set of voluntary privacy standards in the Final Report that could be adopted by industry in the absence of legislation. The Commerce Department indicated today that it is confident industry will adopt this cooperative approach for a privacy public-private partnership. Secretary Bryson also indicated that his office already conducted extensive outreach with Internet companies, data collection companies, retailers, ad networks, privacy advocates, academics and consumer groups to encourage the voluntary adoption of seven data-handling principles:

1. Individual Consumer Control of Data Through Choice Mechanisms
2. Greater Consumer Transparency
3. Respect for Data Context
4. Secure Handling of Data
5. Consumer Data Access & Correction Rights (Data Hygiene)
6. Focused Collection (Data Minimization)
7. Accountability (through audit controls and vendor contractual obligations)

Such a voluntary code, however, comes with a carrot and an eventual stick. The carrot: FTC enforcement actions regarding online privacy matters are ongoing. As indicated in the Final Report, if the industry adopts any voluntary code that is developed, then in any investigation or enforcement action based on an FTC Section 5 unfair and deceptive trade practices action, the FTC would consider a company's adherence to the voluntary codes favorably. The stick comes in a few weeks. The Federal Trade Commission is expected to release its Final Staff Report on Consumer Privacy that will be in sync with the administration's blueprint. Non-adherence to a Final FTC Staff Report could be used as evidence of a Section 5 violation, even in the absence of any general privacy federal legislation.

In the coming weeks we will be releasing more granular guidance on how companies should begin evaluating their respective privacy practices, as well as other elements of the staff report (i.e., international harmonization, the role of U.S. state attorneys general, and DOC support of national data breach standard legislation).

 Please click here to view additional information from the Reed Smith Teleseminar "The Department of Commerce Steams Ahead with Privacy Regulatory Blueprint: What you Need to Know." 



Markey Releases Discussion Draft of the Mobile Device Privacy Act

This post was written by Amy S. Mushahwar.

Today, in response to the controversy surrounding cellphone tracking software from Carrier IQ, U.S. Representative Edward Markey (D-MA) released a draft of a cellphone privacy bill.

As background, the Carrier IQ software first made headlines in November, when a researcher posted a YouTube video claiming to show that the Carrier IQ software records users' every keystroke, including the websites they visit, the contents of their text messages and their location. Carrier IQ, a California-based software company, says its software is installed on 140 million phones, but the company does not track keystrokes or user's locations. Carrier IQ now faces a federal investigation and multiple lawsuits on this matter.

The Markey legislation aims to remedy the perceived privacy deficiencies. In its present form, the Markey discussion draft would require companies to:

  • Disclose any mobile tracking software when a consumer buys a device (or after sale if it is later installed by a carrier or placed within a mobile application downloaded).
  • Notify consumers what information may be collected, any third parties to which the information would be disclosed and how such information will be used.
  • Obtain express consent before the tracking software collects or transmits information.
  • Require any third party receiving collected personal information to have policies in place to secure the information.
  • Require any third parties to prepare and file agreements on information with the Federal Trade Commission (FTC) and Federal Communications Commission (FCC).

Additionally, the legislation contemplates outlining an enforcement regime for the FTC and FCC, along with State Attorney General enforcement and a private right of action. Representative Markey is the co-chair of the Bi-Partisan Congressional Privacy Caucus, and he has previously investigated the privacy and data security practices of Google, Apple, Facebook, Amazon, and others.

Indian Government discussing BlackBerry ban: "security more important than privacy"

This post was written by Cynthia O'Donoghue, Katalina Chin and Katharina Weimer.

A few days following the concession made by BlackBerry manufacturers, Research in Motion (RIM), to provide Indian security agencies access to their encrypted data, India’s Home Minister P. Chidambaram held “security to be more important than privacy”.

Security concerns in India have certainly risen following the terror attack on Mumbai in November 2008, the worsening violence in the disputed region of Kashmir and a rising Maoist insurgency in a mineral-rich territory of the East. And certainly, such concerns may be flared by the fact that attacks are often coordinated using mobile phones, satellite phones and voice over internet calls. These mounting fears over terrorism have led the Indian Government to demand from their first target, RIM, full access to the encrypted data of BlackBerry users in India.

Canadian company RIM refused this request on technical grounds, arguing that the information would be impossible to provide. However, in the knowledge that data is provided by RIM to other countries the Indian Government stuck firm to their demand: then why not India? While the private service, Blackberry Internet Service (BIS), offered by RIM uses their own servers for communication, RIM maintained it is not possible for them to access the business service (Blackberry Enterprise Service (BES)). Indeed, the level of privacy afforded to RIM’s corporate customers is a strong selling point and providing governments with access to email communication for surveillance purposes has the potential to breach a fundamental principle of RIM's business approach: customers' trust in the confidentiality of their communications.

Following RIM's refusal to grant access, the Indian Government issued an ultimatum: if they did not grant full access to all data (encrypted or not), India would block the mail service of the smart phone manufacturer entirely. Fearing this ban on their business in India, one of the fastest growing smart phone markets of the world, RIM conceded to the Indian Government's requests and made several suggestions to resolve the issue of providing access to their data. The decision made by Nokia, RIM’s main competitor in the region, to set up servers in India to facilitate government monitoring, may well have weakened any bargaining position that RIM were hoping to play on.

The measures to be adopted by RIM have yet to be made public but the proposals are seemingly sufficient for the Indian government to grant a two-month grace period to evaluate RIM’s suggestions. While the reprieve offers Blackberry users in India some breathing space, it is unclear whether RIM will be in a position to satisfy the interests of both the Indian Government in security and surveillance and their customers in ensuring the privacy of their communications. India’s Home Secretary is due to meet officials from the Department of Telecommunications, the Intelligence Bureau and the National Technical Research Organisation on Monday the 6th of September to discuss Blackberry security issues.

In light of this development and the Indian Government’s priority on national security over privacy, there is likely to be mounting fear amongst similar online communications companies that they may be the next target and have to provide access to encrypted data transmitted online. RIM has faced similar issues in other countries, including Saudi Arabia, the United Arab Emirates, Lebanon and Indonesia.