OIG Urges Inclusion of General IT Security Controls in HIT Standards

Posted by Rachel Grunberger on June 29, 2011

By Anna Kraus & Rachel Grunberger

As we reported previously, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently issued two reports that highlight continuing concerns over how best to ensure the privacy and security of electronic health information.  Earlier this week, we provided more detail on the OIG’s report regarding CMS oversight of the HIPAA Security Rule.

On May 16, 2011 the OIG released a second report relating to federal data security standards, Audit of Information Technology Security Included in Health Information Technology  Standards. In this report, the OIG expressed concern that federal health information technology (HIT) standards do not include general information technology (IT) security controls.  Instead, HIT standards focus primarily on application controls which apply within an IT system and can be circumvented in the absence of strong general security controls.  The audit recommended that that the Office of the National Coordinator for Health Information Technology (ONC) take the following steps:

  • Include general security controls in HIT standards;
  • Provide guidance to the health industry and the medical community regarding the value of general IT security as well as general IT security standards and best practices; and
  • Cooperate with the Centers for Medicare & Medicaid Services (CMS) and the HHS Office for Civil Rights (OCR) to require general IT security controls where appropriate.

Continue Reading

FTC Seeks Comment on Aristotle's COPPA Safe Harbor Application

Posted by Lindsey Tonsager on June 27, 2011

The Children's Online Privacy Protection Act ("COPPA") provides a safe harbor for companies that comply with FTC-approved self-regulatory guidelines.  Since COPPA's enactment, the FTC has approved proposals submitted by CARU, ESRB, TRUSTe, and Privo, Inc.  

Aristotle, which operates the Integrity suite of age and identity verification services, recently filed an application with the FTC to become an FTC-approved safe harbor program.  In addition to the verifiable parental consent mechanisms that are contained in the FTC's COPPA Rule, Aristotle proposes to allow companies to obtain parental consent using the following electronic methods:

  • verifying the last four digits of the parent's Social Security Number;
  • verifying the parent's driver license number;
  • sending an e-mail with an electronically signed parental consent form plus verification of an attached copy of a government-issued ID;
  • sending an e-mail with an attached copy of a physically signed parental consent form;
  • using a secure website plus verification of an uploaded copy of a government-issued ID;
  • using a secure website plus verification of an uploaded copy of a physically signed parental consent form;
  • transmission and verification of a photocopy of a government-issued ID through Multimedia Messaging Service ("MMS");
  • transmission and verification of a photocopy of a physically signed parental consent form through MMS;
  • submission of the parent's full name, birth date, and address, verified through the use of commercially available databases;
  • submission of the parent's full name, birth date, and location, verified through the use of commercially available databases plus the mailing of a confirming postcard to the verified address; and
  • face-to-face real-time verification through Skype or other online telephony or videoconferencing technology.

The FTC is seeking comments on Aristotle's application.  Comments are due by August 8, 2011. 

OIG Finds CMS Oversight of the HIPAA Security Rule Insufficient to Ensure Covered Entity Compliance

Posted by Rachel Grunberger on June 27, 2011

By Anna Kraus & Rachel Grunberger

In a previous post, we highlighted two reports recently issued by Department of Health and Human Services (HHS) Office of Inspector General (OIG), which criticize HHS’s oversight of health information privacy and security.  In today’s post, we provide greater detail regarding one of those reports (Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight).  We will delve into the second report in a forthcoming post. 

The OIG’s Nationwide Rollup Review found that oversight by the Centers for Medicare & Medicaid Services (CMS) had been insufficient to ensure that hospitals and other covered entities have effectively implemented the HIPAA Security Rule.  Specifically, the OIG noted that although CMS had performed a limited number of covered entity compliance reviews, these reviews tended to be reactive rather than proactive.  According to the OIG, CMS relied primarily on education efforts and voluntary compliance to enforce the Security Rule rather than developing a structured compliance review process. 

CMS was initially delegated authority to enforce compliance with the Security Rule in 2003 and published a final Security Rule that year.  Enforcement authority was subsequently transferred to the HHS Office for Civil Rights (OCR) in 2009.  OCR reports that it has a process in place to conduct proactive compliance reviews even in the absence of specific complaints.  However, the OIG appeared to question this assertion, stating that OCR had not produced evidence of reviews targeted at entities which had not been specifically flagged for scrutiny.  The OIG concluded by recommending that OCR continue the compliance review process begun by CMS and ensure that it provides for reviews in the absence of complaints. 

Continue Reading

Supreme Court Strikes Down Vermont Law Restricting Use of Prescriber-Identifiable Data

Posted by Libbie Canter on June 23, 2011

Today, in a 6-3 decision, the U.S. Supreme Court struck down a Vermont law restricting the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors.  In so holding, the Supreme Court found that speech in aid of pharmaceutical marketing is a form of expression protected by the First Amendment.   The decision is consistent with the concerns about the statute evident from the Court’s questions at oral argument, which were discussed in a previous post.

At issue was the Vermont Prescription Confidentiality Law, which regulates the ability of pharmacies to sell information about physician prescription practices — known as “prescriber-identifying information.”  The Vermont law prohibited pharmacies and other entities from selling prescriber-identifying information for marketing purposes or allowing such information to be used for marketing purposes without a prescriber’s consent.  The law was challenged by a group of three data miners and an association of pharmaceutical manufacturers. 

The Supreme Court characterized the use of prescriber-identifying information as “speech in aid of pharmaceutical marketing” and concluded that it is a form of expression protected by the First Amendment, the regulation of which is subject to heightened scrutiny.  It rejected arguments that the law was a commercial regulation that placed only an incidental burden on expression, finding instead that “Vermont’s law imposes a burden based on the content of speech and the identity of the speaker.”  According to the Supreme Court, the law had the effect of preventing only pharmaceutical marketers, but not other speakers, from communicating with physicians in an effective and informative manner.   Because the law prohibited use of the information for only one purpose, the Court observed that while “[i]t may be assumed that . . . physicians have an interest in keeping their prescription decisions confidential,” the challenged law “is not drawn to serve that interest.”     

Justice Kennedy authored the Supreme Court’s opinion in this case, Sorrell v. IMS Health, Inc.  Justice Breyer authored a dissent, which was joined by Justices Ginsburg and Kagan.

Flurry of Privacy Bills Introduced in Congress; More to Come?

Posted by Josephine Liu on June 17, 2011

In light of the number of privacy and data security-related bills currently being considered by Congress, we thought it might be helpful to provide a roundup of the legislation introduced or circulated to date:

Comprehensive privacy legislation:

  • BEST PRACTICES Act, H.R. 611 (Rep. Rush): introduced Feb. 10, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
  • Commercial Privacy Bill of Rights Act of 2011, S. 799 (Sens. Kerry and McCain):  introduced Apr. 12, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation.
  • Consumer Privacy Protection Act of 2011, H.R. 1528 (Reps. Stearns, Matheson, Bilbray, and Manzullo):  introduced Apr. 13, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 

Do Not Track:

  • Do Not Track Me Online Act, H.R. 654 (Rep. Speier):  introduced Feb. 11, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
  • Do-Not-Track Online Act of 2011, S. 913 (Sen. Rockefeller): introduced May 9, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Children’s privacy:

  • Do Not Track Kids Act of 2011, H. R. 1895 (Reps. Markey and Barton):  introduced May 13, 2011.  Referred to the House Committee on Energy and Commerce. 

Data security and breach notification:

  • Data Accountability and Trust Act, H.R. 1707 (Reps. Rush, Barton, and Schakowsky):  introduced May 4, 2011.  Referred to the House Committee on Energy and Commerce. 
  • Data Accountability and Trust Act of 2011, H.R. 1841 (Reps. Stearns and Matheson): introduced May 11, 2011.  Referred to the House Committee on Energy and Commerce. 
  • Personal Data Privacy and Security Act of 2011, S. 1151 (Sens. Leahy, Schumer, Cardin, and Franken):  introduced June 7, 2011.  Referred to the Senate Committee on the Judiciary. 
  • Secure and Fortify Electronic Data Act, H.R. ___ (Rep. Bono Mack): discussion draft released June 13, 2011.  Hearing held by the House Subcommittee on Commerce, Manufacturing, and Trade.
  • Data Security and Breach Notification Act, S. 1207 (Sens. Pryor and Rockefeller): introduced June 15, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Geolocation privacy:

  • Geolocation Privacy and Surveillance Act, H.R. 2168 (Reps. Chaffetz and Goodlatte): introduced June 14, 2011.  Referred to the House Committee on the Judiciary and the House Committee on Intelligence (Permanent Select). 
  • Geolocation Privacy and Surveillance Act, S. 1212 (Sen. Wyden): introduced June 15, 2011.  Referred to the Senate Committee on the Judiciary. 
  • Location Privacy Protection Act of 2011, S. 1223 (Sens. Franken and Blumenthal): introduced June 16, 2011.  Referred to the Senate Committee on the Judiciary. 

ECPA:

  • Electronic Communications Privacy Act Amendments Act of 2011, S. 1011 (Sen. Leahy):  introduced May 17, 2011.  Referred to the Senate Committee on the Judiciary. 

Financial privacy:

  • Financial Information Privacy Act of 2011, H.R. 653 (Reps. Speier, Hastings, and Filner): introduced Feb. 11, 2011.  Referred to the House Subcommittee on Financial Institutions and Consumer Credit. 

U.S. Chamber of Commerce Hosts Event on Challenges to the Free Flow of Electronic Commercial Information

Posted by Rob Sherman on June 17, 2011

by Katie Keith

On June 16, 2011, the United States Chamber of Commerce organized a forum for business leaders addressing challenges to the free flow of electronic commercial information. Panelists included academics, government officials, and policy and privacy directors from Google, AT&T, GE, Citigroup, and IBM. The event was moderated by leaders from the Commerce Department, and Secretary of Commerce Gary Locke provided the keynote address. A full agenda can be found here.

The participants were unanimous in their recognition of the economic role of e-commerce and the need for market-oriented solutions to promote innovation and expansion. Secretary Locke pointed to the $10 trillion of business conducted online, and one speaker noted a recent OECD report which found that broadband and information and communication technology applications are very likely to exceed the economic effect of any other technology, including electricity and steam technology.

Business leaders, however, report that foreign governments increasingly restrict the free flow of information with implications for the economy, business community, and consumers. The number of countries with such restrictions has increased tenfold since 2002 and can have a pronounced economic impact. For example, a conservative estimate of the impact of an Internet shutdown in Egypt reflected direct losses of $90 million.

Continue Reading

European Regulators Continue to Struggle With New Cookie Rule

Posted by Jetty Tielemans on June 17, 2011

In 2009, Directive 2002/58/EC, the so-called ePrivacy Directive, was amended.  The deadline for EU Member States to implement the revised Directive in their national laws was May 25, 2011, but very few Member States met the deadline and even today, almost one month after the deadline, discussions remain ongoing in most national parliaments.  The implementation efforts that have occurred vary, suggesting that that there will be variations among national outcomes rather than an EU-wide approach.

As background, the ePrivacy Directive regulates the use of “technology aimed at storing and accessing information on the user’s terminal equipment."   The 2002 Directive required that users (i) be informed about the use of such technology, and (ii) be offered the right to refuse it.  This requirement, better known as "the cookie-rule"  traditionally has been implemented through website privacy policies that inform visitors of the use of cookies and how they can refuse them through browser settings. 

But the 2009 revision of the ePrivacy Directive calls into question the well established practice of relying on browser settings to infer user consent.  The revised article 5.3 replaces the “right to refuse” of the old article 5.3 with a “consent that has been obtained” -- a language change that suggests that prior consent may be required.  At the same time, however, the amending Directive contains a recital stating that “user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”  The contradiction between the strengthening of the consent requirement in section 5.3 of the revised Directive, on the one hand, and the reference to the traditional browser-consent in the recital, on the other hand, has caused uncertainty for businesses and national legislators. 

Given this uncertainty, national outcomes are expected to diverge from one Member State to another.  The below examples of (partial) implementation of the revised article 5.3 to date illustrate the difficulty of forecasting a possible EU wide outcome:

Continue Reading

Rep. Bono Mack Circulates Data Security Bill in Advance of Subcommittee Hearing

Posted by Josephine Liu on June 16, 2011

by David Fagan, Libbie Canter, and Josephine Liu

The House Subcommittee on Commerce, Manufacturing and Trade held a hearing yesterday on draft data security legislation authored by Chairwoman Mary Bono Mack (R-CA).  The hearing was very well attended with significant substantive engagement by Subcommittee members on both sides of the aisle — an indication that the Subcommittee and the broader House Energy and Commerce Committee are committed to moving data security legislation this year.  To that end, it is worth noting that while the House last year passed legislation drafted by Rep. Bobby Rush (D-IL) — which was re-introduced earlier this year, along with a similar legislation from Rep. Cliff Stearns (R-FL) — Rep. Bono Mack’s legislation, the Secure and Fortify Electronic Data Act, or SAFE Data Act, is expected now to form the basis for legislation in the House this year.

Continue Reading

Commerce Department Requests Comments on Proposed Cybersecurity Codes of Conduct

Posted by Josephine Liu on June 15, 2011

The Commerce Department is calling for the creation of nationally recognized, voluntary codes of conduct to help strengthen cybersecurity protections for online businesses.  The Department issued its recommendations in a green paper on “Cybersecurity, Innovation and the Internet Economy,” which was released on June 8, 2011.  As noted in today’s Federal Register, the Department will be accepting comments on the green paper until August 1, 2011. 

As we discussed last month, one element of the White House’s recent legislative proposal for cybersecurity focuses on core critical infrastructure operators such as the electricity grid, the financial sector, the water system, and transportation networks.  The Commerce Department’s report complements the legislative proposal by concentrating on another sector of the economy – what the report calls the Internet and Information Innovation Sector (“I3S”).  The I3S encompasses businesses that create or utilize the Internet or networking services and have a large potential economic impact, including electronic retailers, social networking sites, cloud computing firms, and online transactional service providers.

Continue Reading

Working Party 29 Issues New Opinion on Prevention of Money Laundering and Terrorist Financing

Posted by Dan Cooper on June 15, 2011

Earlier this week the European group of national data protection authorities, collectively the Working Party 29 ("WP 29"), released a new opinion on data protection issues relating to the prevention of money laundering and terrorist financing.  The new paper features a slew of new recommendations from the WP 29 that are designed to enhance privacy and data protection in this area.  Among the most prominent of the recommendations are proposals to:

  • review the overarching framework of anti-money laundering and anti-terrorist financing laws at the EU and national levels to ensure compatibility with privacy rights and data protection; 
  • increase EU harmonisation of anti-money laundering and anti-terrorist financing laws, in part to enshrine the "purpose limitation principle" that stands behind data retention, protection and privacy laws; 
  • provide clearer and enhanced guidance for bodies involved in the collection and processing of personal data where terrorist financing or money-laundering issues are prominent; 
  • better balance "tipping off" rules to enhance compatibility with data protection; 
  • introduce "stress tests" for organisations that use BCRs; 
  • introduce "required benchmark" tests for adequacy findings for international transfers; and 
  • improve coordination between financial authority regulators, data protection authorities and financial intelligence units.

Although scant detail is given, the paper ends with a promise by WP 29 to "follow up" on the proposals.

FTC Launches Online Advertising Review

Posted by Rob Sherman on June 12, 2011

by Rob Sherman and Allison Ray

The FTC’s recent announcement [PDF] that it will update its decade-old guidance on online advertising—known as Dot Com Disclosures [PDF]—has inspired animated industry discussion.

In its request for comments, the FTC highlighted that forums for online advertising that we take for granted today -- such as social media and mobile apps -- didn't exist when the Disclosures were released in 2000, and so the guidelines will need to be updated to address these new forms of communication.  (Eric Robinson discusses this point in his post at the Citizen Media Law Project,)  For companies that place or distribute online advertising, these changes may have a particularly significant impact, particuarly since they will need to be framed in a way that is flexible enough to account for changes in the industry and technology that we haven't yet seen. 

When they were first released, the FTC intended the Dot Com Disclosures to import traditional advertising disclosure rules into the online context. The guidelines set a performance standard for disclosures rather than a technical checklist, allowing marketers some flexibility in creating disclosures as long as disclosures met a “clear and conspicuous” standard. Both the FTC and industry commenters noted the danger of creating overly rigid rules at a time when consumer understandings and the internet itself were constantly transforming.

Continue Reading

Regulators Take Aim at Social Networking Privacy

Posted by Rob Sherman on June 08, 2011

Over the past few weeks, online publishers have seen regulators' focus on privacy in the social media context reach the boiling point.  Just this week, Politico reported that FTC Chairman Jon Leibowitz confirmed in a letter to Sen. Mark Pryor that "FTC staff are carefully monitoring the privacy and security issues associated with social networking sites."  Sen. Pryor, who chairs the Consumer Protection Subcommittee of the Senate's Committee on Commerce, Science, and Transportation, had expressed concern about privacy and security issues in the context of social media apps, and so we expect that social media privacy issues will play a key role in forthcoming online privacy legislation.  (We've posted Sen. Pryor's letter to Leibowitz here.)

The announcement of the FTC's focus on social networking comes on the heels of the FTC's highly publicized settlement with Google over its Buzz product, which Erin Egan reported on earlier this year and was just approved by the court last weekAccording to FTC blogger Lesley Fair, the agency alleged that consumers "weren’t adequately informed that certain information that had been private — including the people they chatted with or emailed most often — would be shared publicly by default."

For other online publishers, the headline from the Google Buzz settlement is the requirement that Google implement a comprehensive "privacy by design" program across all of its products.  In a recent speech, FTC Consumer Protection Bureau Chief David Vladick pointed to this aspect of the Google settlement as a key shift in the agency's expectations for social media providers generally.  In fact, the FTC has announced that it wants the privacy by design provisions of the Google settlement to "serve as a guide to industry."  Privacy by design programs, it said, are a "good idea for all companies" and should be "flexible and scalable."

Continue Reading

House Subcommittee Holds Data Security Hearing

Posted by Steve Satterfield on June 03, 2011

Yesterday, the House Subcommittee on Commerce, Manufacturing and Trade held its second hearing on data security in the past month.  The hearing featured the testimony of top executives from Sony and Epsilon, companies that recently have been the victims of large-scale cyber attacks.  The hearing focused mainly on the specifics of the recent attacks, the companies' notification of affected individuals, and the steps the companies have since taken to improve the security of their networks.  The prospect of federal data security legislation was discussed briefly, however, and both the members and the witnesses agreed that such legislation would ease the burdens on businesses, which currently must navigate a complex (and sometimes inconsistent) terrain of state data security laws. 

As we have previously noted, two members of the Subcommittee, Reps. Rush and Stearns, have introduced comprehensive data security legislation in this Session.  At yesterday's hearing, Subcommittee Chairman Mary Bono Mack reaffirmed her intention to do the same.  In her opening statement, she explained that her bill would be based on three guiding principles: 

  • First, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data.
  • Second, information considered especially sensitive, such as credit card numbers, should have even more robust security safeguards.
  • Third, consumers should be promptly informed when their personal information has been jeopardized. 

It is unclear whether Rep. Bono Mack's bill will differ substantially from those introduced by Reps. Rush and Stearns (which are themselves very similar to each other).  But based on this brief statement, it appears that the bill might distinguish between the security requirements for different types of data, which neither the Rush nor the Stearns bill does. 

House Energy & Commerce Committee Outlines Privacy Agenda

Posted by Steve Satterfield on June 03, 2011

The House Energy and Commerce Commerce has announced plans for a “comprehensive review” of privacy and data security regulation.  The announcement explained that the “first phase” of the Committee’s review would be devoted to an assessment of the need for data security legislation.  The committee will then consider what Chairman Fred Upton referred to as “the more complex questions about individual privacy in the digital era.” 

There has already been considerable activity on the data security front in the Committee, with members Cliff Stearns and Bobby Rush proposing broad legislation and Mary Bono Mack pledging to do the same.  Much of this activity has taken place in the Subcommittee on Commerce, Manufacturing and Trade Subcommittee (of which Stearns and Rush are members and Bono Mack is chair).  But in the press release outlining the agenda , Rep. Greg Walden, who chairs the Communications and Technology Subcommittee, also weighed in on the importance of the issues surrounding data protection.   It remains to be seen whether this Subcommittee-- which has been involved in privacy and data security issues in past Congresses--will become more involved in this Congress. 

On a related note, the Commerce, Manufacturing and Trade Subcommittee held a hearing on data security yesterday.  We will discuss that hearing in a subsequent post. 

Illinois Bill Would Require Specific Contents for Breach Notification Letters

Posted by Steve Satterfield on June 02, 2011

The Illinois legislature has passed a bill that would require data owners to include specific information in a letter notifying an Illinois resident of a data breach affecting that resident’s personal information.  The bill, which still must be signed by Governor Pat Quinn, would require notice letters to include “(i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes.”  The bill would also require that the letters not include “information concerning the number of Illinois residents affected by the breach.”

Illinois would join several other states whose breach notice laws require consumer letters to include specific contents.   If Gov. Quinn signs the bill, its requirements would take effect next year.   

California Senate Again Rejects "Social Networking Privacy Act"

Posted by Steve Satterfield on June 02, 2011

For the second time in a week, the California Senate has voted down “The Social Networking Privacy Act” (S.B. 242), a bill that would have required social networking services to, among other things, restrict the sharing of information by default, establish a process for new users to configure privacy settings during registration, and remove all of a user’s personal information from the service within 96 hours of the user’s request for removal. 

The bill had been vigorously opposed by leading Internet companies who argued that the bill would harm California’s economy and violate the U.S. Constitution. 

S.B. 242, which would have been the first law to specifically target the privacy practices of social networking services, is not the only controversial privacy bill to have been recently introduced in the California Senate.  S.B. 761, which would establish a “do not track” requirement to be implemented by the California attorney general, has also raised constitutional concerns.  As we noted in this previous post, S.B. 761 would prohibit any covered entity (a term that is broadly defined) from selling, sharing or transferring a consumer’s information.   This provision has been amended since our post to provide a limited exception allowing a covered entity to share information when necessary to complete a transaction.  Some have argued that even with this exception, the restriction on sharing would violate the Dormant Commerce Clause and the First Amendment.      

India's New Privacy Rules: Potential Impact on Outsourcing Arrangements

Posted by Shamma Iqbal on June 02, 2011

By Shamma Iqbal and Helena Marttila

This April, the Indian government quietly passed the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the "Rules"). Among other things, the Rules require written consent for the processing of "sensitive personal information" in India and that organizations processing personal information in India implement reasonable security practices and procedures. As drafted, the Rules apply to organizations that process personal information, including sensitive personal information, in India regardless of where the information originates or whether the information relates to Indian or non-Indian citizens. The Rules also do not differentiate between "data controller" and "data processor" and thus it is likely that they apply to all organizations engaging in data processing activities in India, whether or not the processing is performed on behalf of other organizations.

Much ambiguity surrounds the interpretation and practical effect of the Rules, and the Indian government had not provided any clarification on the Rules at the time of writing, although it is expected to respond to questions posed by industry stakeholders on the meaning of certain provisions in the coming weeks.

The key features of the Rules, and their potential application, are discussed below:

1. Definition of Sensitive Personal Information. The Rules provide an exhaustive definition of "sensitive personal data", which is similar to the definition contained in the EU Privacy Directive. This definition encompasses passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. The definition excludes any information that is freely available or in the public domain.

2. Privacy Policy Requirement. Organizations based in India are required to adopt a privacy policy to cover their processing of personal information and sensitive personal information. The Rules set forth certain disclosure obligations for such policies, e.g., disclosure of the categories of information collected and the purposes of the processing.

Continue Reading

Swiss Privacy Law Halts Google's StreetView -- But Is Unlikely To Affect Photojournalism

Posted by Kurt Wimmer on June 01, 2011

The recent decision of the Swiss Federal Tribunal (EDÖB v Google, Trib. Admin. Fed.) against Google Street View has raised new and important questions for many industries, not least for other enterprises that use photography of individuals in countries subject to data protection laws based on the EU model.

In the Google case, the Swiss Court reaffirmed the EU Working Party 29 position that images of people constituted "personal data" because they made individuals distinct and identifiable, and that consequently data protection laws applied. Given the provisions of these laws, the court chided Google for improperly collecting Street View data originally and then subsequently failing to fully anonymize this data before publication. Although the court acknowledged that Google had blurred "up to 95% of faces and license plates" photographed, this remained insufficient. Even when blurred, photos of individuals near "sensitive places" (such as women's shelters) remained a serious concern for the court.

European views on privacy have, in the past, run headlong into journalistic efforts. Those watching the development of European privacy law under Article 8 of the European Convention will recall the result in a case brought by Princess Caroline of Monaco, who won a landmark ruling in 2004 preventing the German press from publishing photographs of her and her children while in public places -- photographs that would be entirely permissible under the laws of the United States and many other countries. But the Swiss case does not appear to add new burdens for journalists.

Continue Reading