On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI. For more information about the briefing, visit Covington’s eHealth blog.
Tomorrow at 10:00 a.m., the House Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing to determine what elements should be included in federal data-breach legislation. The following witnesses are scheduled to testify:
- Elizabeth Hyman, Tech America Executive Vice President of Public Policy
- Jennifer Glasgow, Acxiom Chief Privacy Officer
- Brian Dodge, Retail Industry Leaders Association Executive Vice President for Communications and Strategic Initiatives
- Woodrow Hartzog, Associate Professor at Cumberland School of Law
As we’ve previously reported, data breach has been a hot topic on the Hill at least since last year, when a number of bills on the topic were proposed to replace the current patchwork regime of state laws with a national standard for data security and breach notice. So far, no such legislation establishing a uniform federal law has been passed.
Check back on the blog for updates from the hearing.
New consumer protection provisions that clarify how companies may collect, use, and protect personal information of consumers will come into effect in China on March 15, 2015.
On January 5, 2015, China’s State Administration of Industry and Commerce (“SAIC”) issued measures to implement China’s Consumer Rights Protection Law (“CRPL”), which was amended effective March 2014 to include, among other things, provisions on the protection of personal information of consumers and administrative penalties for the misuse of personal information. The newly promulgated measures, entitled Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (“Implementing Measures”; Covington’s translation is available here) flesh out the CRPL by addressing a range of consumer protection issues. From a privacy perspective, the Implementing Measures (1) clarify the definition of “personal information of consumers,” (2) provide more detail on the CRPL’s requirements for the collection, use, and protection of consumer personal information, and (3) provide for significant penalties for violations. The Implementing Measures take effect on March 15, 2015, China’s Consumer Protection Day.
Article 11 of the Implementing Measures define “personal information of consumers” as “a consumer’s name, gender, occupation, date of birth, identification document number, residential address, contact information, status of income and assets, health status, and consumption habits, and other information collected by business operators during their provision of goods or services that may independently or in combination with other information identify the consumers.”
The CRPL states that consumers’ personal information is entitled to protection when they purchase goods or services. The CRPL applies to all online and offline consumer transactions and to businesses in all industries that provide goods or services to consumers in China. The CRPL and the Implementing Measures, taken together, require businesses to:
(1) Inform and obtain consent from consumers regarding the purpose, method, and scope of collection or use of consumers’ personal information;
(2) Publish rules for the collection and use of consumers’ personal information;
(3) Not collect or use information in ways that violate laws, regulations, or contractual arrangements;
(4) Not divulge, sell, or illegally disclose consumer personal information to third parties;
(5) Implement measures to ensure the security of consumers’ personal information and immediately take remedial action if information is improperly disclosed or lost;
(6) Not send commercial information to consumers without consent, particularly if consumers have expressly indicated an unwillingness to receive such information.
Violations of the Implementing Measures are subject to civil liability: SAIC and its local counterparts may confiscate all illegal earnings and impose fines of between one and ten times the amount of the illegal earnings, or up to RMB 500,000 (about US $80,000) if there are no illegal earnings. (Note that starting in October 2014, companies have been required to disclose administrative penalties to the public within 20 business days.)
The Implementing Measures are part of a series of laws and regulations issued by the government in the last 24 months to further regulate collection and use of personal information — e.g., the Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here) and the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (see our blog post here). The definition in the Implementing Measures of “personal information of consumers” is one of the more specific definitions in China’s patchwork of privacy laws and regulations.
The substantial enforcement authority granted to SAIC and its local counterparts (local Administrations of Industry and Commerce, or AICs) suggests that the Chinese government is serious about cracking down on improper use, disclosure, and sale of consumers’ personal information in the country. AICs handle not only consumer protection but also advertising regulation, commercial bribery, and some aspects of antitrust enforcement. In our experience, AIC enforcement is largely executed at a local level (district, municipal, or sometimes provincial).
Material for this post was supplied by Sheng Huang and Ashwin Kaja of Covington & Burling LLP.
The Senate Judiciary Committee will continue to dedicate a subcommittee to privacy and technology issues.
Sen. Chuck Grassley, R-Iowa, the new chairman of the Senate Judiciary Committee, announced today that Sen. Jeff Flake, R-Ariz., is the new chairman of the Subcommittee on Privacy, Technology, and the Law.
Former Judiciary Committee Chairman Patrick Leahy created the subcommittee in 2011 and named Sen. Al Franken, D-Minn., as its chairman. Franken used the subcommittee to hold hearings on a number of emerging privacy and technology issues, including geolocation and facial recognition. When Republicans won control of the Senate in November, it was unclear whether Grassley would retain this new subcommittee.
Also today, Leahy announced that Franken is the new ranking member of the subcommittee. The other members of the subcommittee are Orrin Hatch, R-Utah, David Perdue, R-Ga., Mike Lee, R-Utah, Thom Tillis, R-N.C., Lindsey Graham, R-S.C.,, Dianne Feinstein, D-Cal., Charles Schumer, D-N.Y., Sheldon Whitehouse, D-R.I., and Christopher Coons, D-Del.
Last month a federal court found Dish Network liable for calls that were alleged by the Federal Trade Commission (“FTC”) to violate various provisions of the FTC’s Telemarketing Sales Rule (“TSR”). Specifically, the FTC’s 2009 complaint asserted that Dish Network initiated, or caused a telemarketer to initiate, calls to numbers on the National Do Not Call (“DNC”) Registry and to consumers who previously declined to receive such calls whose numbers were on Dish Network’s entity-specific do-not-call list or were marked “DNC” by a telemarketing vendor. The FTC also alleged that, in violation of the “abandoned-call” provision of the TSR, Dish Network abandoned or caused telemarketers to abandon phone calls. In its complaint, the FTC seeks monetary civil penalties from Dish Network for every violation of the TSR, for which the court is entitled to award up to $16,000 for each violation. At issue are tens of millions of calls, making the potential level of damages to be awarded at the trial stage staggering. Continue Reading
On Thursday, January 29, Covington’s Global Privacy and Data Security Practice Group will host a webinar on the Internet of Things (IoT). The webinar will cover the full federal, state, and international legal landscape governing IoT technology. While the Federal Trade Commission (FTC) is expected to release a report soon on privacy issues raised by IoT, the FTC is not the only regulator actively addressing issues surrounding IoT products and services. Several other federal entities have released or are working on guidance specific to the IoT, including the Federal Communications Commission, Food and Drug Administration, Department of Transportation and National Highway Transportation Safety Administration, Department of Energy, National Institute of Standards and Technology, and the National Security Telecommunications Advisory Committee. Several states have adopted laws impacting IoT products and services, and international governments — particularly in the European Union — have begun to show an interest in IoT developments. The webinar will run from 12:30 to 1:30 p.m. EST. Please join us by registering here.
Data security and privacy concerns received special attention in President Obama’s State of the Union address last night. As expected, the President advocated his recently released data security and privacy legislative proposals, which InsidePrivacy has covered extensively.
With regard to data security, President Obama urged Congress to pass legislation to guard against cyber-attacks, combat identity theft, and protect children’s data. He called for a bipartisan effort and noted that failing to take action would leave the country and the economy vulnerable.
President Obama addressed privacy concerns in the context of the government’s surveillance programs. The President noted that intelligence agencies have worked with the recommendations of privacy advocates to increase transparency and build more safeguards against potential abuse. He promised to release a report next month explaining how the government has protected both national security and privacy interests.
By Jim Garland
On Tuesday, President Obama introduced a legislative proposal on privacy and data security that seeks to strengthen and clarify law enforcement’s ability to investigate and prosecute cybercrimes.
On the heels of a number of well-publicized data security breaches, a White House data breach proposal, and California’s recent changes to its data breach notification statute, New York Attorney General Eric Schneiderman has announced that he will propose legislation to strengthen New York’s data breach notification law. The legislation had not been made public as of the date of publication, but the Attorney General has stated publicly that he anticipates it will include the following elements:
- “Private Information” Definition. The legislation would expand the definition of “private information” that, if breached, requires notice to New York residents. According to the Attorney General, “private information” should be defined to “include both the combination of an email address and password and an email address in combination with a security question and answer,” as well as “medical information, including biometric information, and health insurance information.” It is worth noting that the White House proposal unveiled earlier this week also would cover these data elements, and there are some existing state laws that already cover these data elements. For example, California’s recent amendments to its data breach statute require notice of certain breaches involving “[a] user name or email address, in combination with a password or security question that would permit access to an online account.” In addition, several states, including California and Texas, have breach notification statutes that cover certain types of medical information.
- “Reasonable” Data Security Requirement. Consistent with the approach that a number of other states (including, most recently, California) have taken, the legislation would impose an affirmative obligation on companies to reasonably safeguard “private information,” including through appropriate administrative, technical, and physical safeguards. Massachusetts and Nevada are among the states that have imposed more prescriptive data security obligations.
- Safe Harbor. Schneiderman’s press release provides that “New York should offer a safe harbor if a company adopts a heightened form of security. . . . Once [an entity implements a data security plan that meets the standard], an entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.” It is not clear based on the Attorney General’s press release, but we presume that this safe harbor would pertain to the obligation to maintain reasonable data security safeguards and not from other obligations. In addition, Schneiderman’s proposal would legislate that entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security. Continue Reading
During his speech earlier this week at the Federal Trade Commission, President Obama unveiled a set of proposals to enhance student privacy protections. These proposals will include publishing a draft Student Digital Privacy Act, promoting an existing Student Privacy Pledge for educational technology providers, and introducing new privacy tools through the Department of Education.