Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Senate Hearing Addresses White House Information-Sharing Proposal

Posted in Cybersecurity

By Caleb Skeath

Earlier this week, the Senate Committee on Homeland Security and Governmental Affairs held its first hearing of the new Congress, entitled “Protecting America from Cyber Attacks: The Importance of Information Sharing.”  The hearing focused in large part on the White House’s recent information sharing proposal, which would protect private entities from civil and criminal liability for sharing information with the government and designated private information sharing and analysis organizations (ISAOs).

Rep. Ron Johnson (R-WI), Chairman of the Committee, noted that he was “encouraged” by the renewed prospect of passing an information-sharing bill but cautioned that the Senate Intelligence Committee may also seek to weigh in on the issue.  Rep. Tom Carper (D-DE), the ranking member of the Committee, said that the administration’s proposal is “not perfect” but contains “constructive proposals that will help us continue the conversation on this issue.”  Rep. Carper, who has pledged to introduce a bill based on the White House’s proposal, told reporters afterwards that action on an information sharing bill could occur “very soon” and Congress will be “much more involved this year” on cybersecurity issues.

Several of the Committee’s members expressed concern over the privacy implications of allowing private entities to share cyber threat information with the federal government, and the panel members agreed that privacy concerns would be the biggest obstacle to passing an information-sharing bill.  Rep. Cory Booker (D-NJ) questioned whether information sharing legislation could create “another level of government surveillance” by encouraging private entities to turn over customer information.  However, the panel replied that the current proposal is a “constructive step forward” in comparison to previous information sharing bills and offers increased protection for customer information.ins

The Committee also explored the liability protections offered by the White House’s proposal, as Rep. Johnson questioned the panel about whether the proposed liability protections would be “adequate.”  The panel members replied that although the proposal contains basic liability protections, such provisions would be insufficient to encourage private companies to engage in the large-scale information sharing that is needed to combat cyber threats.  Several panel members noted that many private entities already share cyber threat indicators within industry groups and encouraged the Committee to consider providing liability protections for sharing between private entities as well.

The Committee’s hearing comes after over 30 industry associations sent a letter to the Senate, “strongly urg[ing] the Senate to quickly pass a cybersecurity information-sharing bill.”  Such a bill, according to the letter, could allow business to receive cyber threat indicators in real time and protect themselves from cyberattacks while providing “legal certainty” against “frivolous lawsuits” that could result from information sharing.  The letter also called for legislation that would protect civil liberties and privacy while protecting private entities from public disclosure, regulatory and antitrust risks.

The UK’s Data Protection Regulator to Introduce “Privacy Seals” for Businesses

Posted in International, United Kingdom

By Fredericka Argent

The UK’s Information Commissioner’s Office (ICO) has announced that it is looking to introduce a system of “privacy seals” for organizations doing business in the UK.  The seal is intended to be a consumer-facing stamp of approval demonstrating that a particular organization is meeting or surpassing the compliance requirements of the UK’s Data Protection Act.  The ICO expects that this will provide numerous benefits, both for companies, who could gain an advantage over competitors, and for customers, who should feel confident entrusting their personal information to companies displaying the seal.  It is hoped that the privacy seal will incentivize good data protection practices across UK businesses.

The privacy seals themselves will be delivered by third party operators who are endorsed by and work with the ICO.  It is expected that different operators will focus on different sectors, meaning that accreditation schemes can be tailored to particular industries.  For example, an operator handling the privacy seals for mobile app companies may be different to the operator assigned to healthcare service providers.  A privacy seal will only be awarded to an organization once they have demonstrated that they meet the relevant data protection standards. Continue Reading

Privacy Weekend: Provocative Articles We’re Reading Now

Posted in Privacy Weekend

As readers of the InsidePrivacy blog know, we often save some fun reading on privacy issues for the weekend, given the crush of business during the week.  Sure, you’re reading the FTC’s just‑released Internet of Things report (and hopefully Shel’s helpful analysis of it), but a little broader reading might be just right for our (somewhat) snowy weekend.

At the top of my list for this weekend is Neil Richards’ new book, Intellectual Privacy: Rethinking Civil Liberties in the Digital Age.  This book follows up on Neil’s great law review article of the same name, but develops and updates the arguments, examples and use cases.  The subject of the work is the conflict between privacy and free expression, one of the most important issues in our area of law and policy.  Topics such as the “right to be forgotten” place this issue squarely into today’s headlines.  Neil suggests that free speech should win out in the event of a true conflict between the two values, but concludes that true conflicts are exceedingly rare.  It is more likely that privacy should be seen as a precondition for the exercise of free speech — without some assurance that privacy rights will be honored, individuals will not speak freely.  It’s a great premise with which I agree, and one that I look forward to thinking more about.  And if you’re in New York on Monday and can stop by the book launch sponsored by Data & Society, you can ask Neil about it! Continue Reading

Belgian Government Calls for EU Data Protection Authority

Posted in European Union, International

On Wednesday, January 28, 2015, better known as “Data Protection Day,” the Belgian Under-Secretary for Data Protection Bart Tommelein called for the creation of an EU Data Protection Authority.  He intends to present this position of the Belgian Government to the informal meeting of Ministers of Justice and of the Interior in Riga (Latvia).  The authority would be responsible for handling investigations against global companies, something national regulators would be ill-equipped to do.  His chances of success are probably limited.

The current EU data protection regime only mandates the creation of independent “national” data protection authorities (possibly with regional ones for federations such as Germany) and a European Supervisor for compliance within EU institutions.  While, the proposed Data Protection Regulation, which still under discussion, would create an European Data Protection Board, it is not anticipated to have sanctioning powers.  Moreover, Member States so far opposed the creation of a more robust EU body.  On the contrary, the latest texts suggest they intend to reduce the powers of the Board even further.   In this context, the announced Belgian initiative appears to swim against the current.

FTC Internet of Things Report Outlines Privacy and Security Recommendations for Industry

Posted in Federal Trade Commission

Yesterday, the Federal Trade Commission released a staff report on the Internet of Things (“IoT”) that provides best practice recommendations for addressing privacy and security risks associated with IoT products and services.  The report, Internet of Things: Privacy & Security in a Connected World, also summarizes findings from the FTC’s 2013 IoT workshop.  In the report, the FTC staff defines “IoT” as “devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.”  Examples of IoT products and services include smart home appliances, connected car services, and fitness trackers.

For industry, the most significant sections of the report are the staff’s privacy and security recommendations, which fall into three main categories: (1) security, (2) data minimization, and (3) notice and choice.  These recommendations are technology-neutral and applicable across a wide range of technologies.  The report also addresses the staff’s view on the need for legislation.

The Commissioners voted 4 to 1 in favor of issuing the report.  Commissioner Maureen Ohlhausen issued a separate statement that generally supported the report while declining to endorse a couple of its recommendations.  Commissioner Joshua Wright dissented from the issuance of the report.   The remainder of this blog post analyzes the report’s recommendations and the commissioners’ statements in greater detail.

Continue Reading

House Debates Federal Data Breach Legislation

Posted in Congress, United States

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said. Continue Reading

Summary Report of European Commission’s mHealth Consultation Published

Posted in European Union, International

The European Commission has finally published its summary of 211 responses to its mobile health (“mHealth”) consultation.  The summary and original responses to the consultation have been made available on the Commission’s website at https://ec.europa.eu/digital-agenda/en/news/summary-report-public-consultation-green-paper-mobile-health

The consultation covered a broad range of important issues for mHealth, including legal frameworks, privacy and data protection, patient safety, mHealth’s role in healthcare systems, equal access, interoperability, funding and reimbursement, liability, research & innovation, international cooperation, and market access issues, particularly for web entrepreneurs. Continue Reading

HIPAA 2015 Enforcement Priorities Highlight Cyber Threats, But Timing of HIPAA Compliance Audits Still Uncertain

Posted in Health Privacy

On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI.  For more information about the briefing, visit Covington’s eHealth blog.

House Subcommittee to Hold Hearing and Begin Drafting Data Breach Bill

Posted in Congress, United States

Tomorrow at 10:00 a.m., the House Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing to determine what elements should be included in federal data-breach legislation.  The following witnesses are scheduled to testify:

  • Elizabeth Hyman, Tech America Executive Vice President of Public Policy
  • Jennifer Glasgow, Acxiom Chief Privacy Officer
  • Brian Dodge, Retail Industry Leaders Association Executive Vice President for Communications and Strategic Initiatives
  • Woodrow Hartzog, Associate Professor at Cumberland School of Law

As we’ve previously reported, data breach has been a hot topic on the Hill at least since last year, when a number of bills on the topic were proposed to replace the current patchwork regime of state laws with a national standard for data security and breach notice.  So far, no such legislation establishing a uniform federal law has been passed.

Check back on the blog for updates from the hearing.

China Clarifies Requirements for Companies Regarding Consumers’ Personal Information

Posted in China, Privacy Policies, Technology Transactions

New consumer protection provisions that clarify how companies may collect, use, and protect personal information of consumers will come into effect in China on March 15, 2015.

On January 5, 2015, China’s State Administration of Industry and Commerce (“SAIC”) issued measures to implement China’s Consumer Rights Protection Law (“CRPL”), which was amended effective March 2014 to include, among other things, provisions on the protection of personal information of consumers and administrative penalties for the misuse of personal information.   The newly promulgated measures, entitled Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (“Implementing Measures”; Covington’s translation is available here) flesh out the CRPL by addressing a range of consumer protection issues.  From a privacy perspective, the Implementing Measures (1) clarify the definition of “personal information of consumers,” (2) provide more detail on the CRPL’s requirements for the collection, use, and protection of consumer personal information, and (3) provide for significant penalties for violations.  The Implementing Measures take effect on March 15, 2015, China’s Consumer Protection Day.

Article 11 of the Implementing Measures define “personal information of consumers” as “a consumer’s name, gender, occupation, date of birth, identification document number, residential address, contact information, status of income and assets, health status, and consumption habits, and other information collected by business operators during their provision of goods or services that may independently or in combination with other information identify the consumers.”

The CRPL states that consumers’ personal information is entitled to protection when they purchase goods or services.  The CRPL applies to all online and offline consumer transactions and to businesses in all industries that provide goods or services to consumers in China.  The CRPL and the Implementing Measures, taken together, require businesses to:

(1) Inform and obtain consent from consumers regarding the purpose, method, and scope of collection or use of consumers’ personal information;

(2) Publish rules for the collection and use of consumers’ personal information;

(3) Not collect or use information in ways that violate laws, regulations, or contractual arrangements;

(4) Not divulge, sell, or illegally disclose consumer personal information to third parties;

(5) Implement measures to ensure the security of consumers’ personal information and immediately take remedial action if information is improperly disclosed or lost;

(6) Not send commercial information to consumers without consent, particularly if consumers have expressly indicated an unwillingness to receive such information.

Violations of the Implementing Measures are subject to civil liability:  SAIC and its local counterparts may confiscate all illegal earnings and impose fines of between one and ten times the amount of the illegal earnings, or up to RMB 500,000 (about US $80,000) if there are no illegal earnings.  (Note that starting in October 2014, companies have been required to disclose administrative penalties to the public within 20 business days.)

The Implementing Measures are part of a series of laws and regulations issued by the government in the last 24 months to further regulate collection and use of personal information — e.g., the Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection  (see our previous client alert here) and the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (see our blog post here).  The definition in the Implementing Measures of “personal information of consumers” is one of the more specific definitions in China’s patchwork of privacy laws and regulations.

The substantial enforcement authority granted to SAIC and its local counterparts (local Administrations of Industry and Commerce, or AICs) suggests that the Chinese government is serious about cracking down on improper use, disclosure, and sale of consumers’ personal information in the country.  AICs handle not only consumer protection but also advertising regulation, commercial bribery, and some aspects of antitrust enforcement.  In our experience, AIC enforcement is largely executed at a local level (district, municipal, or sometimes provincial).

Material for this post was supplied by Sheng Huang and Ashwin Kaja of Covington & Burling LLP.