Celebrating GDPR’s anniversary and preparing for year two

25 May 2019 was GDPR’s first birthday. Since its introduction, privacy and data protection issues have continued to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. Now is an opportune time to review your privacy and data protection regimes. We have more regulatory guidance and case law than we did a year ago, and practices may well have bedded in within your organisation over the last year.

With this in mind, and in lieu of birthday cake, we have prepared a short series of thought-pieces, including a look at what could feature on your to-do list for GDPR year two and some sector-specific snapshots of GDPR’s formative first year:

  • One year of GDPR: How have EU Member States implemented and enforced the new data protection regime?
  • Life Sciences: GDPR is one year old already: 5 things for the life sciences and healthcare industry

 

 

FERC requests comments on proposed new CIP Reliability Standard regulating the transmission of data between control centers

On April 18, 2019, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) requesting comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1. As written, CIP-012-1 will require responsible entities to implement controls to protect communication links and data transmissions in an effort to mitigate cybersecurity risks to communications between bulk electric system Control Centers. The FERC confirmed its general support of the adoption of CIP-012-1 in its NOPR and invites stakeholders to submit comments on the NOPR regarding CIP-012-1 by June 24, 2019.

To read more on proposed CIP Reliability Standard CIP-012-1 and the additional modifications recommended by FERC, click here.

New OCR fact sheet clarifies HIPAA liability for business associates

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a fact sheet clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. The fact sheet outlines 10 specific circumstances for which OCR has authority to take enforcement action against a business associate. OCR’s clarification offers long-awaited clarity to business associates contemplating their own HIPAA liability at a time when enforcement against business associates has been on a steady rise.

To read more on the new fact sheet, click here.

One year of GDPR – How have EU member states implemented and enforced the new data protection regime?

The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions.

Local implementation efforts

Although the GDPR intended to unify data protection law within the EU, it permits EU member states to implement stricter local rules in some cases, based on the so-called ‘opening clauses’. These allow local rules to be implemented on important issues, such as the requirements for the designation of a data protection officer, the age of consent of children, data protection in the context of employment, and data breach notification obligations.

EU member states have generally made good use of this option. Germany was the first member state to pass an act to implement the GDPR (and is currently working on an amendment), but the other EU member states quickly followed suit.

Local implementation highlights

Some EU member states have introduced local provisions that are worth noting, particularly for organisations doing business in these jurisdictions. Some examples are:

  • In Germany, organisations that continually employ at least 10 people to deal with the automated processing of personal data must appoint a data protection officer.
  • France has some preliminary notification obligations, especially with regard to the processing of biometric or genetic data, for example.
  • Dutch law retains regulations from the previous Dutch data protection law with regard to the processing of sensitive data, for example in an employment context.
  • Hungary and Spain introduced provisions with regard to the personal data of deceased individuals.
  • Spanish law includes specific provisions for data processing in relation to, for example, video surveillance, whistleblowing and the financial solvency of individuals.
  • The laws of Austria, the Czech Republic and Ireland provide for an easing of the fine system for public bodies.

You can find an overview of all implementation laws and their specialties here: https://www.reedsmith.com/-/media/files/perspectives/2018/gdpr_factsheet_may2018.pdf?la=en. Continue Reading

Pennsylvania Superior Court holds county where reputational harm occurs is proper venue for Internet defamation suits, confirming 50-year-old inquiry applies to website-based claims

Addressing an issue of first impression, the Pennsylvania Superior Court ruled last week that a venue analysis dating to 1967 focusing on the location of dissemination of allegedly defamatory newspapers applied to online defamation suits as well.  As a result, the proper venue for Pennsylvania defamation suits based on website content is any county where a third party who knows the plaintiff personally reads the content and understands it to be harmful to the plaintiff’s reputation. The ruling enlarges the potential venue options for defamation plaintiffs and could lead to website publishers and social media posters being sued in any county in Pennsylvania.

Continue Reading

UK High Court says no…administrators are not controllers

The recent case of Green v. Group Ltd and others [2019] EWHC 954 (Ch) dealing with Cambridge Analytica’s insolvency has clarified the approach that administrators should take when subject access requests are made to the companies over which they are appointed.

A failed administration…

In the aftermath of the notorious data analytics activities of Cambridge Analytica, companies in this group suffered serious financial damage. Administration proceedings were initiated but the administrators were not able to profitably realise the group’s business. Unbeknown to the administrators, the Information Commissioner’s Office (ICO) had also seized the companies’ laptops and servers, which meant the business could not continue to trade. The failed attempts to market the business led the administrators to place the companies into compulsory liquidation and request that they be appointed as liquidators.

A creditor’s complaint…

A contingent creditor objected to the appointment of the administrators as subsequent liquidators. Among various objections, the creditor complained that the administrators had breached duties arising under data protection laws. He sought an Enforcement Notice under the Data Protection Act 1998 against two group companies to request that they comply with a subject access request to provide details of his personal data potentially held by the companies.

The creditor also wrote to the administrators requesting copies of the materials and notes of the oral submissions made at the administration hearing. The administrators allowed the creditor’s disclosure application, having rejected it initially, and eventually provided the requested documents.

A few data protection questions…

In its assessment of the creditor’s objections, the High Court first referred to previous case law, which had established that a liquidator is not regarded as a controller in respect of personal data processed by the company. As a general rule, a liquidator acts as a company’s agent and, unless the liquidator takes decisions about the processing of the data as a principal rather than an agent, the liquidator cannot be considered a controller.

Here, the administrators decided not to search for the creditor’s data through records of 700 terabytes which had been seized by the ICO. The court agreed that this was a decision that the administrators were suited to make. As agents of the company, the scope of their statutory duty was limited and the interests of one creditor had to be balanced against the interests of the general body of creditors.

The court also said that administrators have no general duty to investigate data breaches by the company relating to third parties (such as data subjects). Their duty only extends to investigating breaches of the duty owed by the directors to the company or its creditors.

The court also accepted the administrators’ “commercial judgment in an uncertain legal context” not to appeal the Enforcement Notice as the cost of compliance would have been disproportionate. This was because administrators have the right to prioritise recovering assets before addressing claims and distribution issues. There was criticism, though, that the administrators had failed to “appreciate the legal niceties of a novel situation in a developing area of the law”.

Comment

This decision is a welcome judicial clarification that administrators (as well as liquidators) are not controllers. What is more, it confirmed that data protection investigations are not for administrators or liquidators to solve – these should remain in the realm of external regulators and be carried out at the public expense. While this is bad news for data subjects seeking information from insolvent companies, liquidation and administration proceedings should only be used for what they are, not as a “free-floating public enquiry into possible unlawful activity implicit in the business model of the insolvent company”.

Council of Europe publish recommendations for the regulation of AI to protect human rights

The Council of Europe Commissioner for Human Rights has recently published recommendations for improving compliance with human rights regulations by parties developing, deploying or implementing artificial intelligence (AI).

The recommendations are addressed to Member States. The principles concern stakeholders who significantly influence the development and implementation of an AI system.

The Commissioner has focussed on 10 key areas of action:

    1. Human rights impact assessment (HRIA) – Member States should establish a legal framework for carrying out HRIAs. HRIAs should be implemented in a similar way to other impact assessments, such as data protection impact assessments under GDPR. HRIAs should review AI systems in order to discover, measure and/or map human rights impacts and risks. Public bodies should not procure AI systems from providers that do not facilitate the carrying out of or publication of HRIAs.
    2. Member States public consultations – Member States should allow for public consultations at various stages of engaging with an AI system, and at a minimum at the procurement and HRIA stages. Such consultations would require the publication of key details of AI systems, including details of the operation, function and potential or measured impacts of the AI system.
    3. Human rights standards in the private sector – Member States should clearly set out the expectation that all AI actors should “know and show” their compliance with human rights principles. This includes participating in transparent human rights due diligence processes that may identify the human rights risks of their AI systems.
    4. Information and transparency – Individuals subject to decision making by AI systems should be notified of this and have the option of recourse to a professional without delay. No AI system should be so complex that it does not allow for human review and scrutiny.
    5. Independent oversight – Member States should establish a legislative framework for independent and effective oversight over the human rights compliance of AI systems. Independent bodies should investigate compliance, handle complaints from affected individuals and carry out periodic reviews of the development of AI system capabilities. Continue Reading

EU sets out its eCommerce and privacy stall in WTO negotiations

The EU has published its initial eCommerce proposals (Proposal) to be discussed at the WTO negotiating meeting, which is ongoing at the time of writing. The EU has been a member of the WTO for more than 20 years. The 28 member states of the EU are also members of the WTO in their own right. The negotiating meeting aims to secure a trade deal to govern global eCommerce.

The Proposal includes provisions on electronic contracts, consumer protection, and revisions to the WTO reference paper on telecommunications services. We include more detail on some of the more pertinent provisions below.

International transfers of data

The Proposal recommends that cross-border data flows should be unhindered. This includes ensuring there are no requirements:

1.   for computer facilities or parts of networks to be in a specific territory for processing;

2.   for data localisation in a specific territory for storage or processing;

3.   prohibiting data storage or processing in a specific territory; and/or

4.   that any international data transfer must use computing facilities or parts of a network in a specific territory or require data localisation.

Data privacy

The Proposal recommends that:

1.   countries recognise that personal data protection and privacy are fundamental rights and that standards are established to facilitate trust and the development of trade; and

2.   countries may adopt safeguards they deem appropriate to protect personal data and privacy, including the adoption and application of rules for international data transfers.

Open internet access

The EU wants to ensure that an open internet is maintained. The Proposal contains net neutrality provisions that would ensure non-discriminatory network management. The Proposal also provides for internet users. It recommends ensuring that users can connect to the internet and be informed of the network management practices of their internet access service provider.

Comment

The Proposal is an indication of the key talking points for the current WTO negotiations. Although significant areas have been included in the Proposal, questions remain. These include international data transfer issues, such as continued reliance on the EU-U.S. Privacy Shield and UK-EEA data transfers in the event of a ‘hard Brexit’. We expect further developments in this area and will continue to comment on additional updates on this blog.

Data portability and other initiatives introduced in Singapore to promote innovation and strengthen accountability

On May 22, 2019, Singapore’s Personal Data Protection Commission introduced three new initiatives:

a)   A public consultation on data portability. The corresponding consultation paper also proposes to introduce data innovation provisions as part of the ongoing review of the Personal Data Protection Act (PDPA). The consultation is open for six weeks and will close on July 3, 2019.

b)   A guide on active enforcement.

c)   An updated guide on managing data breaches.

Public consultation on data portability

The commission is proposing to introduce a data portability obligation, with the aim of giving individuals greater control over their personal data and enhancing innovation to support the growth of the digital economy.

The following impacts were considered:

  • Consumer impact: Where consumers are able to move their data from one service provider to another, they are empowered to try out new service offerings and this will in turn incentivize organizations to provide more competitive offers.
  • Market impact: Data portability provides a means of reducing barriers to entry, particularly for start-ups or small players in sectors that are heavily reliant on consumer data. The consultation paper cited the Open Banking initiative in the UK, which has enabled the creation of an app that allows consumers to consolidate accounts from multiple banks, and the Data Transfer Project, which is an industry-led initiative that provides users with the ability to move their data between different online platforms. At the same time, the commission acknowledged that overly burdensome requirements and the increase in compliance costs could result in a first mover losing its incentive to innovate, as a follower could simply emulate its business model and acquire consumer data through the portability obligation. Hence, a balance would need to be struck to create the right competitive landscape and reap the most benefits for consumers and the economy.
  • International developments: Data portability has been introduced in the EU, Australia and the Philippines, and other jurisdictions including India, Japan, New Zealand and the United States (California) are also considering its introduction into their domestic laws. It was therefore important that Singapore keeps pace with international data protection developments in alignment with other key jurisdictions.

The consultation paper proposed that the scope of the obligation be as follows:

  • Covered organizations: The obligation will not apply to exempted organizations under the PDPA (including individuals acting in a personal or domestic capacity, employees acting in the course of employment and public agencies). It will also not apply to data intermediaries.
  • Receiving organizations: The obligation will only apply if the receiving organization is in Singapore. However, it will not prevent voluntary arrangements by organizations to transmit data to overseas entities with an individual’s consent. Where the data is irrelevant or excessive in relation to a service or product offered to an individual, a receiving organization may choose not to accept the data or retain only a portion of the data.
  • Requesting individual: Any individual can make a data portability request, regardless of whether they are in Singapore.
  • Covered data: This will only apply to data in the possession or control of an organization that is held in electronic form. The obligation applies to two types of data:

(a)   data that is provided by an individual to the organization (“user provided data”); and

(b)   data that is generated by an individual’s activities in using the organization’s products or services (“user activity data”).

The obligation does not, however, apply to “derived data,” which refers to new data elements created through the processing of other data by applying business-specific rules.

The obligation applies to “business contact information” as defined in the PDPA.

It would also apply to the personal data of third parties. The receiving organization would only be allowed to process such personal data where the data is under the control of the requesting individual and used only for their personal or domestic purposes. The receiving organization must obtain fresh consent to use the data for any other purposes.

  • Handling portability requests: The paper sets out details of the key responsibilities of the porting organization in relation to:

(a)   receiving the request;

(b)   verifying the request;

(c)   verifying the data to be ported;

(d)   porting the data, where the following information would need to be provided to the individual:

a.   fees payable by the requesting individual; and

b.   when the data will be ported;

(e)   the format of the ported data;

(f)   informing the individual of a rejection;

(g)   preserving the data; and

(h)   responding to a request withdrawal by the individual.

The data portability obligation is intended to be complementary to the access obligation under the PDPA. Exceptions to the portability obligation will be aligned to exceptions to the access obligation except where access could reveal the personal data of another individual, or reveal the identity of the individual who has provided the personal data and that individual does not consent to the disclosure of their identity.

In terms of enforcement, the commission will have powers to review an organization’s:

  • refusal to port data;
  • failure to port data within a reasonable period of time; and
  • fees for porting data pursuant to an individual’s request.

The commission will also have the power to issue binding codes of practice on data portability to take into account more specific sectoral requirements. Matters that will be addressed in these codes of practice will include:

  • consumer safeguards;
  • counterparty assurance;
  • interoperability; and
  • security of data.

Public consultation on data innovation provisions

The commission is proposing to allow organizations to use personal data for business innovation purposes, which refers to any of the following:

  • operational efficiency and service improvements;
  • product and service development; and
  • knowing customers better.

In relation to the collection or disclosure of such personal data for business innovation purposes, however, organizations must still notify the individual concerned and seek their consent, unless an exception in the PDPA applies. Also, the business innovation purposes provision does not extend to the use of personal data for direct marketing to consumers.  The commission also proposes to exempt derived personal data, which is new data created through the processing of other data by applying business-specific logic or rules, from the following obligations under the PDPA:

  • the access obligation under section 21;
  • the correction obligation under section 22; and
  • the proposed data portability obligation mentioned above.

Guide to active enforcement

The commission has introduced a new expedited decision-making process to bring investigations on clear-cut breaches to a conclusion quickly. This process can be applied where:

  • the nature of the breach is similar to precedent cases with similar facts; and
  • there is an upfront admission of liability for breaching the PDPA (which would be considered a mitigating factor).

Examples include common forms of breaches such as URL manipulation, poor password management or printing errors resulting in unauthorized disclosures to the wrong recipients.

Importantly, an organization can request to make an undertaking to implement a plan to resolve a breach, in place of a full investigation, where:

  • the commission assesses that such undertaking would achieve a similar or better enforcement outcome than a full investigation.

Guide to Managing Data Breaches 2.0

The commission has updated its guide on managing data breaches. It makes recommendations in two main areas:

  • Threshold for notifying the commission and individuals of a data breach: this is now 500 or more affected individuals, or where significant harm to or other impact on individuals is likely; and
  • Timeliness of notification: internal investigations and assessments should take no more than 30 days from an organization becoming aware of a potential breach and notification no later than 72 hours from completion of the assessment.

Given the potential significance of the proposed data portability obligation and data innovation provisions to businesses in Singapore when these take effect, organizations may wish to consider submitting their feedback on the various issues raised in the consultation paper.

Businesses should also take note of the two guides mentioned above, particularly the one on managing data breaches, as this is a timely precursor to the mandatory breach reporting requirement that will soon be introduced in Singapore.

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, Reed Smith). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.

OCR releases new FAQs on use of health apps

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of Health Insurance Portability and Accountability Act (HIPAA) FAQs  building upon prior guidance from OCR. The new FAQs discuss the applicability of HIPAA to covered entities and business associates that interact with health apps and explain when HIPAA regulated entities may be held vicariously liable for data breaches experienced by the health app providers.

The new FAQs reiterate that a covered entity will not be liable for a breach of health information if the health app is not provided by or on behalf of the covered entity. Determining an app was developed for, or provided for or on behalf of a HIPAA regulated entity can be difficult given increasingly complicated business structures in the health care industry and the variety of technology solutions available in the market. For example, it is unclear how customized a technology solution must be for it to be “developed for, or provided for or on behalf of” a HIPAA regulated entity. For this reason, it is important to fully understand the relationship of the parties and the technology involved to properly analyze potential HIPAA risk exposure from using third-party technology.

To read more on the new HIPAA FAQs and the potential impact on the use of third-party technology solutions, click here.

LexBlog