A new post on Covington’s Inside Medical Devices blog discusses a new portal recently launched by HHS seeking questions from mobile health application developers. The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications. To read the post, click here.
On October 12, 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs (“LIBE”) Committee held a debate to discuss the aftermath of the ruling of the Court of Justice of the European Union (“CJEU”) ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (see summary of the ruling here and summary of the Advocate-General’s Opinion here). The debate was chaired by the LIBE Committee Chair, Claude Moraes, and started with a presentation from the European Parliament’s Legal Service. The Legal Service provided a summary of the CJEU’s decision, and set out the following points:
- The ruling confirms the importance of the EU Charter of Fundamental Rights in protecting EU citizens, and the fact that all EU laws must comply with the Charter. In this case, the Charter rights invoked included the right of all EU citizens to privacy and the right to an effective judicial remedy. It can be concluded from the CJEU’s ruling that the Data Protection Directive 95/46/EC does comply with the Charter.
- Both the Charter of Fundamental Rights and the Data Protection Directive 95/46/EC provide a high level of protection to EU citizens’ personal data, whether the data are situated inside or outside the EU. This means that a third country can only be considered to provide “adequate” protection to EU citizens’ personal data when that country itself has strong data protection laws. The protection provided in a third country need not be identical, but must provide an “essentially equivalent” protection to that guaranteed under EU law.
- Legislation, whether in the EU or the U.S., cannot legitimately authorize mass or generalized surveillance of EU citizens’ data.
- The power of local data protection authorities (“DPAs”) to investigate data protection breaches cannot be restricted by the Commission.
As businesses increasingly work with various types of third parties that process sensitive information and, in some cases, access a company’s networks, there is an inherent risk: these third parties create new avenues of attack against a company’s data, systems, and networks. Covington attorneys David Fagan, Nigel Howard, Kurt Wimmer, and Elizabeth Canter describe these potential risks and the measures that can be used to mitigate such risks in a chapter they authored entitled “Managing risk associated with third-party outsourcing” — which appears in a new book, Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers.
The chapter describes several critical elements of managing third-party risk, including the goals and process for pre-engagement due diligence of third parties, approaches to managing risk through contract (including the challenges of negotiating appropriate indemnifications and liability provisions), and ongoing monitoring and oversight of third parties.
To download a copy of Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, visit www.securityroundtable.org.
On Thursday, October 8, California Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (“CalECPA”), which requires law enforcement officials in California to obtain a warrant to access digital records, including emails and text messages.
The new law was supported by privacy rights advocates and technology companies, many of which are pushing for similar reforms to the federal Electronic Communications Privacy Act (“ECPA”). The federal law, enacted in 1986, has been widely criticized as outdated, in part because it purports to permit law enforcement officials to obtain emails older than 180 days with a subpoena, rather than with a warrant. That provision of ECPA was held unconstitutional by the Sixth Circuit Court of Appeals in 2010, but the statute has not yet been updated to require a warrant for all emails, regardless of their age.
The new California law applies to all state and local law enforcement officials in California, who now must obtain a warrant before accessing any “electronic communication information.” That term is defined broadly to include not just the contents of communications, but also the sender, recipient, format, time, and date of the communications; any information about the location of the sender or recipient at the time of the communications; and any information pertaining to any individual or device participating in the communications, including an IP address. Continue Reading
By Brandon Johnson
On October 6, 2015, California Governor Jerry Brown signed into law a trio of bills that is intended to clarify key elements of the state’s data-breach notification statute and provide guidance to persons, businesses, and state and local agencies that deal with electronically stored personal information. The bills, which were passed together as a single legislative package, will take effect on January 1, 2016.
Assembly Bill 964 (A.B. 964) clarifies the meaning of the term “encrypted,” which is found throughout California’s data-breach notification statute. Personal information is now deemed properly “encrypted,” as defined in A.B. 964, if it is “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”
Senate Bill 570 (S.B. 570) makes uniform the language that must be used in security breach notifications. Under the law, security breach notifications must now be titled “Notice of Data Breach” and must present relevant notification information under the following predetermined headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” “Other Important Information,” and “For More Information.” S.B. 570 comes complete with a model form for a breach notification.
Senate Bill 34 (S.B. 34) expands the definition of the term “personal information” found in California’s data-breach notification statute, sweeping within its ambit information or data that is captured by automated license plate recognition (ALPR) systems. The law also imposes new requirements on operators and end-users of ALPR technology. Among other things, ALPR operators and end-users must undertake reasonable security measures to protect ALPR information and implement usage and privacy policies that govern the collection, use, maintenance, sharing, and dissemination of this information. S.B. 34 grants a private right of action to individuals who have been harmed by a violation of these requirements, which includes the unauthorized access or use of ALPR information and the breach of an ALPR system’s security.
By Brandon Johnson
On October 6, 2015, California Governor Jerry Brown signed into law Assembly Bill 1116 (A.B. 1116), which regulates the manner in which smart TVs must notify users of voice-recognition technology and may use recorded voice commands. The bill, which was passed unanimously by both houses of the California legislature earlier this year, will go into effect on January 1, 2016.
The recently enacted law requires manufacturers of smart TVs to inform customers about the voice-recognition features during the TVs’ initial setup or installation. It also bars the sale or use of any speech captured by voice-recognition technology for advertising purposes. Under A.B. 1116, the California Attorney General and district attorneys are authorized to seek injunctive relief and up to $2500 in civil penalties for each television sold or leased in violation of its provisions. The law does not, however, provide consumers with a private right of action.
Electronics manufacturers should note that the scope of A.B. 1116 is relatively limited: it applies only to video devices that are “designed for home use to receive television signals and reproduce them on an integrated, physical screen display that exceeds 12 inches” and expressly excludes from coverage various other devices that can be used to access video content, such as personal computers, portable devices, set-top boxes, video game consoles, and digital video recorders. The law also limits manufacturer liability to the functionality available at the point of sale, so any applications installed or downloaded by a customer thereafter would not implicate the provisions of A.B. 1116.
Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, about the powers of European data protection authorities (“DPAs”) to suspend transfers of personal data that take place under the existing Safe Harbor arrangement. The CJEU ruled both on the DPAs’ powers and the validity of the Safe Harbor, finding that national data protection authorities do have the power to investigate in these circumstances, and further, that the Commission decision finding Safe Harbor adequate is invalid.
By Ethan Forrest
For the first time, California Attorney General Kamala Harris has announced a privacy breach settlement that requires the defendant company to create a “chief privacy officer” position to oversee compliance with privacy laws.
The company in question is Houzz Inc., a popular online platform for home design and décor. Attorney General Harris asserted that Houzz violated California anti-eavesdropping and anti-wiretapping laws, which forbid recording phone calls without notifying the other parties to the call and obtaining their consent. According to the complaint, for about six months in 2013, Houzz had recorded all incoming and outgoing calls for “quality assurance and training purposes.” But it never notified parties to the calls, or obtained their consent.
The settlement requires that Houzz official appoint a chief privacy officer (often called a “CPO”) within sixty days of the settlement’s entry. The chief privacy officer must be knowledgeable of all state and federal privacy laws; establish privacy policies and procedures for that comply with those laws; and oversee Houzz’s compliance with those policies and procedures. The chief privacy officer will have the authority to report significant privacy concerns to Houzz’s CEO and other executive officers. The settlement also includes $175,000 in penalties and fees, and requires Houzz to complete an extensive privacy risk assessment and monitoring program.
While this settlement is a first for the California Attorney General’s office, the Federal Trade Commission has included similar requirements in past settlements. And increasingly, companies have been proactive in establishing their own privacy officer positions, as high-profile data breaches, privacy litigation, and overall concerns about user privacy have become more acute.
By Mark Young and Joseph Jones
The UK Information Commissioner’s Officer (“ICO”) has issued its largest fine to date in connection with using an automated calling system to make direct marketing calls. The ICO found that Home Energy & Lifestyle Management Ltd (“HELM”), a green energy company that made millions of automated marketing calls in relation to “free” solar panels, recklessly contravened UK regulations, and fined the company £200,000. Continue Reading
A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.