And Then There Were Two – New Mexico Set to Become 48th State to Enact Data Breach Notification Law

While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of H.B. 15—to be known as the “Data Breach Notification Act”—could put additional pressure on the United States Congress to draft federal legislation for data breach notification, so companies can base compliance on a single standard rather than a patchwork of state laws. In either case, it adds additional requirements to that patchwork.

New Mexico’s Data Breach Notification Act, as passed by both houses of the state legislature, imposes several requirements on any “person” who “owns or licenses records containing personal identifying information of a New Mexico resident.” Those requirements include “proper disposal” of records containing personal identifying information when those records are “no longer reasonably needed for business purposes”; “implement[ing] and maintain[ing] reasonable security procedures and practices appropriate to the nature of the information” and requiring any retained services providers to do the same; breach notification “in the most expedient time possible, but not later than thirty calendar days following discovery of the security breach”; though notification is not required where, “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”

Continue Reading

German Federal Minister of Justice introduces new bill against criminal content on social networks

On 14 March 2017, the German Federal Minister of Justice, Heiko Maas, announced a new bill aimed at improving the application of the law to social networks (Entwurf eines Gesetzes zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken; Netzwerkdurchsetzungsgesetz – NetzDG, the Bill). The Bill strengthens the rights of individuals who are affected by ‘hate speech’ or ‘fake news’ placed by third parties on social networks. The Bill also sets out binding standards for an effective and transparent complaint management system and establishes a duty for social networks to issue quarterly reports on their handling of user complaints about criminal content.

Scope of and definitions under Bill

The Bill shall apply to internet platform providers that enable users to make content available to, or share content with, other users (Social Networks). Social Networks with fewer than 2 million registered users in Germany shall be exempt from the obligation to (1) issue reports and (2) establish and implement a complaint management system.

The Bill shall apply to Criminal Content, i.e., content which is in breach of the following sections of the German Criminal Code:

  • Section 86 (Dissemination of propaganda material of unconstitutional organisations)
  • Section 86a (Using symbols of unconstitutional organisations)
  • Section 90 (Defamation of the President of the Federation)
  • Section 111 (Public incitement to crime)
  • Section 126 (Breach of the public peace by threatening to commit offences)
  • Section 130 (Incitement to hatred)
  • Section 140 (Rewarding and approving of offences)
  • Section 166 (Defamation of religions, religious and ideological associations)
  • Section 185 to 187 (Insult; Defamation; Intentional defamation)
  • Section 241 (Threatening the commission of a felony )
  • Section 269 (Forgery of data intended to provide proof)

Effective complaint management system

Under the Bill, Social Networks  are required to implement and maintain an effective complaint management system, and in particular:

  • Offer their users a straightforward complaint procedure
  • Acknowledge  user complaints in due course and assess whether any content complained about is Criminal Content
  • Block or delete content which is obviously Criminal Content within 24 hours after receipt of a valid complaint
  • Block or delete other Criminal Content within seven days after receipt of a valid complaint
  • Inform users about decisions relating to complaints

Duty to issue reports

Social Networks shall be obliged to issue quarterly reports on the handling of user complaints about Criminal Content. The required content of those reports is specified in the Bill, and comprises, in particular, information on the number of user complaints received and details of the personnel responsible for processing the complaints. The reports shall be made publicly available on the internet.

Authorised Agents

The Bill also requires each Social Network to identify an authorised agent within Germany. The authorised agent shall be responsible for receiving documents relating to administrative fines and to court proceedings before German courts.

Fines

Social Networks that do not fully comply with the above requirements shall be subject to administrative fines of up to €50 million.

First reactions to the Bill

Both stakeholders and politicians have already raised a number of different concerns about the Bill. In particular, it has been argued that the deadlines for deletion or blocking of content are too short. Furthermore, many view the Bill as a restriction on the freedom of speech. In the light of the federal elections in Germany on 24 September 2017, it appears rather unlikely that the Bill will be approved by the German Parliament prior to the elections. However, this remains to be seen, as does the form that the Bill might finally take.

FTC’s FinTech Forum continues focus on emerging technologies including AI and Blockchain Technologies

The Federal Trade Commission continues its efforts to be the leading federal regulator in the areas of privacy and data security.  Its latest FinTech Forum highlights emerging issues relating to blockchain, machine learning, and related tools that increasingly influence how sensitive information about consumers is collected, used, shared and secured.  These programs help inform the agency’s efforts as it sets policy aimed at protecting consumers, while also promoting innovation that benefits consumers.  Programs such as the latest emerging issues forum help the FTC to understand the “ways in which these technologies are being used to offer consumer services, the potential benefits, and consumer protection implications as these technologies continue to develop.”

Following the FTC’s focus on these issues provides clarity for companies on the ways in which the agency is targeting consumer protection, as well as an opportunity for them to participate in a conversation that showcases the ways in which innovation can benefit consumers.

Click here to read our Client Alert for a more in-depth look at the Commission’s efforts in this emerging area.

Vizio Settlement with FTC May Signal Future Direction of Agency Enforcement

The Federal Trade Commission’s recent settlement with VIZIO, Inc., may have created a new definition of “sensitive information” that includes viewing data, but the opinion of Acting Chairperson Maureen Ohlhausen may provide further insight on how the agency will act under the new administration.

On February 6, the FTC settled charges with VIZIO, one of the world’s largest manufacturers and sellers of internet-connected “smart” televisions. VIZIO agreed to pay $2.2 million based on allegations that it installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent. After capturing this second-by-second information about what was shown on these TVs, VIZIO allegedly appended demographic information to the viewing data, including sex, age, income, marital status, household size, education level, home ownership, and household value, and subsequently sold this information to third parties who used it to target advertising to consumers across devices.

The Order requires VIZIO to prominently disclose and obtain affirmative express consent for its data collection and sharing practices, and prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect. It also requires VIZIO to delete data collected before March 1, 2016, and to implement a comprehensive data privacy program with biennial assessments.

Significantly, the FTC’s complaint states that television viewing activity is “sensitive” and that VIZIO’s collection and sharing of that sensitive data without consumers’ consent has caused, or is likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition, and is not reasonably avoidable by consumers, making it an unfair act or practice in violation of Section 5(a) of the FTC Act.

In response to the agency’s characterization of television viewing activity as “sensitive,” which had not been stated explicitly in any prior FTC statements, Acting Chairperson Maureen Ohlhausen wrote a concurring statement highlighting the implications of this new policy.

“There may be good policy reasons to consider such information sensitive,” Ohlhausen wrote. “Indeed, Congress has protected the privacy of certain video viewing activity by passing specific laws, such as the Cable Privacy Act of 1984. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.”

As a result, Ohlhausen wrote, “This case demonstrates the need for the FTC to examine more rigorously what constitutes ‘substantial injury’ in the context of information about consumers. In the coming weeks I will launch an effort to examine this important issue further.”

The concurrence of Ohlhausen, currently the lone Republican commissioner, may signal the direction that the FTC will take under the Trump administration, especially given that there are several vacancies that will soon be filled by appointments. By promising a new effort to scrutinize the FTC’s interpretation of what constitutes “substantial injury” to consumers’ information, Ohlhausen has indicated that there may be a reexamination of privacy-based enforcement to ensure that it is focused on practices that have the capacity to cause substantial injury to consumers. There is likely to be a greater emphasis in the privacy and data security area on a cost-benefit approach that assesses risk to consumers, limits expansion of the definition of “personal information,” and confines enforcement to “sensitive information” compromises that cause “substantial injury” to consumers.

Ohlhausen’s concurrence would also appear to echo concerns about due process and predictability of enforcement, which were at issue in previous enforcements.
The Commission’s Order, as a whole, may herald increased attention to the deception of consumers by omission, such as by failing to adequately notify them of the collection of their sensitive data. As the Commission focuses more on substantial injury, deception claims may go hand in hand with unfairness claims, as well. The FTC has made privacy enforcement a high priority, and as consumers and their advocates press the agency for action, that is unlikely to change; however, under Ohlhausen and the new appointees, we may see a shift in enforcement that more heavily scrutinizes proposed expansions of liability.

Coalition of human rights organisations call for suspension of Privacy Shield

The EU-U.S.  Privacy Shield has come under scrutiny once again after 17 civil society organisations (the Coalition) sent a letter to the European Commissioner for Justice and Consumers.

The 28 February 2017 letter raises the issue as to the breadth of Section 702 of the FISA (Foreign Intelligence Surveillance Act) Amendments Act (FAA), which provides authority for the United States government’s PRISM and UPSTREAM surveillance programmes. The Coalition argues that these programmes violate international human rights standards, as they require internet companies to capture and turn over to the government communications within very broadly defined categories.

Section 702 surveillance powers were the focus of the Court of Justice of the European Union (CJEU) decision that repealed the ‘safe harbour’ programme in the United States, and the Coalition’s letter recommends that the FAA must be amended in order to comply with that decision. The Coalition argues that, in the meantime, the Commissioner must suspend the Privacy Shield. Though officially approved by the European Commission, the Privacy Shield continues to face criticism and calls for its suspension.  Human rights organisations have argued that the Privacy Shield still fails to comply with CJEU requirements, noting fears that it is insufficient to ensure protection of the rights of digital users; that it will perpetuate human rights violations; and that it will undermine trust in the digital economy.  The Coalition reiterated these arguments in its recent letter.

The Coalition recommends that the FAA’s revisions include the breadth of definitions, the amount of data retained in surveillance databases, the number of innocent individuals that can be ‘targeted’, and the lack of limits on dissemination of data between agencies and the United States’ international partners. At present, Section 702 authorises collection provided that a “significant purpose” of collecting the data is in order to obtain foreign intelligence information. This has served as a loophole for the FBI to collect data without a warrant for criminal investigations. Section 702 is broad enough to allow any non-U.S. person outside of the United States to be targeted in the likelihood that they may reveal foreign intelligence information. The NSA recently targeted a pro-democracy activist in New Zealand under the PRISM programme on the basis of erroneous claims by the New Zealand government that this individual had been planning violent attacks.

Section 702, along with several other sections of the FAA, expires on 31 December 2017.   The U.S. Congress has twice voted to reauthorise the law, with the most recent reauthorisation occurring in 2012.  In May 2016, the U.S. Congress began debating whether to reauthorise Section 702 a third time.  A number of advocacy groups in the United States believe that Section 702 should be allowed to  expire on 31 December 2017, and have created a countdown to that date.

EU data protection authorities approve Google’s Cloud commitments for international data transfers

Google has announced that the EU data protection authorities have reviewed and confirmed its Google Cloud services’ contractual commitments as fully compliant with the EU requirements for transferring personal data to third countries outside the European Economic Area (“EEA”).

Model contract clauses

The review was carried out in line with Working Paper 226 (‘WP 226’). WP 226 outlines the procedure where data protection authorities can decide whether an organisation’s contracts comply with the European Commission’s model contract clauses, in line with Decision 2010/87/EU.

The data protection authorities (including the Irish data protection authority as the lead, and Spanish and Hamburg authorities as co-reviewers) confirmed that Google’s agreements for international transfers of personal data for Google Apps (now ‘G Suite’) and for its Google Cloud Platform align with the European Commission’s model contract clauses.

The EU model contract clauses are standard contractual clauses used in agreements to ensure any personal data leaving the EEA will be transferred in compliance with the Data Protection Directive 95/46/EC.

The WP 226 procedure

WP 226 requires that the data protection authorities from the relevant Member States review the clauses, and that they are managed by the lead authority. The lead authority is either selected by the applicant organisation based on set criteria in WP 226 – for example, the location where the clauses are decided and elaborated, where most decisions around purposes and means of processing will take place, the ‘best’ location in terms of management and administration. Alternatively, the other data protection authorities involved in the review may appoint the most appropriate authority to take the lead.

The initial decision as to conformity with the model contract clauses is taken by the lead data protection authority, who must then forward a draft decision letter to all other authorities involved so that they may conduct their own review (within one month). The lead authority then invites comments from the co-reviewers before signing the letter on behalf of all the relevant data protection authorities and notifying the applicant.

More certainty for data transfers?

Well, a success for Google, but this is still a particularly challenging time for organisations that are trying to ensure international data transfers are compliant with data protection laws. Of course, the model contract clauses are still the subject of challenge in the EU. The Irish Data Protection Commissioner commenced proceedings in the Irish High Court following a complaint by Max Schrems against Facebook Ireland Limited’s use of the model contract clauses. The hearing started on 7 February 2017, where the High Court is to determine whether it should make a referral to the CJEU. We await the outcome of the hearing and whether the future status of the model contract clauses will be resolved or referred to the CJEU to decide.

UK government publishes digital strategy to create and support a secure and thriving data economy

On 1 March 2017, the UK government published its Digital Strategy (“Strategy”) for a “world-leading digital economy that works for everyone.”. The Strategy contains a number of statements that bring some certainty to the direction of regulation in the UK following its withdrawal from the European Union.

Unlocking the data economy

The Strategy notes the opportunities presented through the use of data analytics, artificial intelligence and the internet of things. Noting a recent Information Commissioner’s Office study, which found that only one in four UK adults trust businesses with personal data, a key aspect of the Strategy is to improve public trust and confidence in the use of data, enabling the UK to house a ‘world-leading’ data economy. To this end, the Strategy confirms that the UK will implement the General Data Protection Regulation by May 2018 (“GDPR”), ensuring a “shared and higher standard of protection for consumers and their data cross Europe and beyond.” Businesses will also be encouraged to adopt ethical frameworks for the use of data. Continue Reading

Bavarian Data Protection Authority issues its “7th activity report 2015/2016”

On 3 March 2017, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht – DPA”) issued a 160-page 7th activity report (Tätigkeitsbericht), covering years 2015 and 2016. The activity report has been accompanied by a press release of the same date.

Background

In Germany, Data Protection Authorities are obliged to regularly, at least every two years, issue activity reports, Section 38(1) s. 7 German Data Protection Act (Bundesdatenschutzgesetz – BDSG). Under Article 59 of the upcoming General Data Protection Regulation (“GDPR”), however, each supervisory authority shall draw up an annual report.

Overview

Key focus: GDPR. The DPA states that years 2015 and 2016 where characterised by the GDPR’s entering into force, which raised a number of legal questions, both for data controllers/processors and the competent DPA. The DPA emphasizes that the increase of the DPA’s responsibilities and power to impose sanctions upon companies, as well as the upcoming closer collaboration with other supervisory authorities and the Board, will lead to a substantial increase of workload for the DPA. This holds true in particular in the light of the fact that in future, most activities will be in English language.

Cybercrime. Another key focus of the DPA’s activity in 2015/2016 was security risks of networks with a particular view on cybercrime attacks. The DPA states that the substantial increase of reported data breaches were surprising for the DPA. In the preceding reporting period 2013/2014, 53 data breaches were reported, whereas the number of reported data breaches increased to 113 in the reporting period 2015/2016 (85 incidents were reported in 2016).

Increase of complaints. The DPA reports an increase of received complaints in the report in period 2015/2016 (2,527 complaints), compared to the preceding reporting period 2013/2014 (1,878 complaints). The DPA takes the view that this increase might be caused by an increased awareness regarding data protection related issues across the community.

Increase of consultancy requests. The DPA also reports an increase of consultancy requests, mainly from companies. In the reporting period 2015/2016, 3,853 requests were received, whereas in the reporting period 2013/2014, 3,554 consultancy requests were recorded. The DPA recognized that a number of companies repeatedly asked the DPA for consultancy, which the DPA regards as a strong indication of data controllers’ increased desire to be compliant with the requirements of data protection. At the same time, the DPA confesses that it could not handle all requests properly due to the existing personnel shortage.

Duration of proceedings before the DPA. With a view to the enormous workload, the DPA raised concerns on how to meet the forecasted deadlines under the GDPR, in particular the 3 months deadline pursuant to Article 78(2) GDPR. To assess its own capabilities, the DPA has conducted an internal monitoring of the duration of proceedings administered which, according to the press release, is as follows:

Duration 25% 25% 25% 25%
Complaints 4 days 14 days 52 days 141 days
Consulting citizens 1 day 3 days 11 days 36 days
Consulting companies 3 days 19 days 47 days 122 days

Shortage of personnel. Four new officers shall be hired for years 2017 and 2018, which leads to a total headcount of 17 officers for the next two years. However, the DPA forecasts that it will not be able to properly fulfil its responsibilities due to a shortage of personnel.

Sanctions only for exceptional severe breaches. Due to the heavy workload and shortage of personnel, the DPA has been able to open sanctioning proceedings only in exceptional, severe cases. However, the DPA clearly states that this needs to be changed, particularly with a view to the upcoming new obligations of data controllers and data processors under the GDPR.

Content of the Activity Report

The activity report contains the following 23 chapters:

  1. Supervisory activities in the non-public area
  2. General overview of the DPA’s activities
  3. Controls and audits
  4. Data protection officer
  5. Contract data processing
  6. Right to information
  7. Data protection and internet
  8. Lawyers and disputes
  9. Insurance sector
  10. Financial institutions
  11. Credit agencies
  12. Advertising and address trading
  13. Trade and services
  14. International data transfers
  15. Protection of employee data
  16. Health and social sector
  17. Clubs and associations
  18. Housing sector and protection of tenant’s personal data
  19. Video surveillance
  20. Vehicle data
  21. Data breaches
  22. Technical data protection and security of information systems
  23. Sanctions

OCR’s Latest Health Breach Investigations Yield Big Settlements

In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced two major settlements under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to the breach of protected health information (“PHI”). Neither settlement included an admission of any liability, but they included significant fines and mandated that additional measures be taken to protect PHI.

One of the investigations was triggered by alleged untimely notification of a breach of the PHI of 836 individuals by a large health care network. The health care network discovered that paper-based operating room schedules with PHI went missing from one of its surgery centers October 22, 2013, but did not notify the OCR until January 31, 2014. The notification delay was apparently because of miscommunication between its workforce members. Citing the 60-day notice deadline in the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), the OCR investigation concluded that the notifications to OCR that affected individuals (on February 3, 2014) and required media outlets (on February 5, 2014) were roughly 40 days overdue. OCR also reviewed notifications provided by the health care network in regard to smaller breach incidents in 2015 and 2016, and concluded that those notifications were not timely either. Continue Reading

OMB Federal Agency Data Breach Guidelines – Considerations for Industry

Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals potentially affected by a breach,” and to provide “guidance on whether and how to provide notification and services to those individuals.” The implementation of common federal agency standards and processes is oriented to not only streamline the way agencies deal with the release of PII, but to also ensure that the federal government is capable of handling data breaches in an effective and efficient manner.

Among the more notable requirements in the guidelines are those imposed on federal contractors who collect or maintain federal information, or who use or operate information systems on behalf of a federal agency. The OMB outlines terms for agencies to incorporate into federal contracts and cooperative agreements, including requiring that contractors and subcontractors: Continue Reading

LexBlog