On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses (the “Regulation”).  The Regulation implements the international data transfer framework under the Brazilian General Data Protection Law (“LGPD”).

Continue Reading Brazil Issues New Regulation on International Data Transfers

On August 14, the FTC announced a final rule that, according to the FTC, is intended to “combat fake reviews and testimonials.”  The rule will go into effect on October 21, 2024.  This final rule is the culmination of the FTC’s issuance of an advance notice of proposed rulemaking (ANPRM) in November 2022 and notice of proposed rulemaking (NPRM) in June 2023.  We previously analyzed the draft rule presented in the NPRM. 

In response to public comments, the FTC made several substantive changes in the final rule.  Many of these changes narrow the rule in helpful ways for businesses concerned about the breadth of the proposed rule, although a few changes arguably expand the rule.  We have outlined some of the major differences between the draft and final rules below:

  • Fake or False Consumer Reviews, Consumer Testimonials, or Celebrity Testimonials.  This provision of the final rule largely retains the draft rule’s prohibitions on writing, creating, selling, purchasing, disseminating, or procuring so-called “fake or false” reviews and testimonials, but clarifies that they are limited to reviews/testimonials that “materially misrepresent” that the reviewer/testimonialist exists, the reviewer/testimonialist has experience with the product, service, or business reviewed, or that the reviewer’s/testimonialist’s review is based on their experience with the product, service, or business reviewed.  Additionally, the final rule introduces two new exceptions to this provision: prohibitions on “purchasing,” “disseminating,” and “procuring” “fake or false” reviews/testimonials do not apply to “(1) reviews or testimonials that resulted from a business making generalized solicitations to purchasers to post reviews or testimonials about their experiences with the product, service, or business; or (2) reviews that appear on a website or platform as a result of the business merely engaging in consumer review hosting.”  The FTC further explained that this provision “will not prohibit an online business that hosts reviews from prompting the submission of reviews from the general public or from organizing, moderating, or aggregating them.”  The final rule also narrows the provision on “procuring” reviews by revising it to only apply to the procuring of reviews from company insiders.
  • Consumer Review Repurposing.  The proposed rule had sought to prohibit the use or repurposing of consumer reviews written for one product so that they appeared to have been written for a substantially different product, so-called “review hijacking.”  This section was eliminated from the final rule. 
  • Buying Positive or Negative Consumer Reviews.  The final rule retains the draft rule’s prohibition on providing compensation or other incentives in exchange for or conditioned on writing a review with a specific sentiment, and expanded the scope of this provision by specifying that it applies to both express and implied conditions.  The FTC’s commentary accompanying the rule indicates that statements like, “Tell us how much you loved your visit to John’s Steakhouse and get a $5 coupon” would violate this provision.
  • Insider Consumer Reviews and Consumer Testimonials.  The FTC narrowed the scope of this provision, which deals with writing, disseminating, or soliciting reviews written by a business’s own employees or immediate relatives, so that the prohibitions apply only when the connection to a so-called “insider” is “material.”  The final rule also introduces a new exception to this provision, clarifying that businesses will not be held liable for disseminating insider testimonials or soliciting insider reviews if they merely make a “generalized solicitation to purchasers” to post about their experiences.
  • Company-Controlled Review Websites or Entities.  This provision prohibits a business from materially misrepresenting that a website/organization/entity that it controls or owns provides independent reviews or opinions about a category of businesses, products, or services including the business or its products/services.  The final rule narrowed this provision by specifying that there must be a “material misrepresentation” and that the provision does not apply to websites that provide consumer reviews.
  • Review Suppression.  This provision prohibits threatening “unfounded or groundless” legal action, physical threats, intimidation or public false accusations in an attempt to prevent consumer reviews from being written or to cause a consumer review to be removed.  It also prohibits a business from materially misrepresenting that consumer reviews on its website or platform represent most or all reviews submitted when reviews are being suppressed based on ratings or negative sentiment.  The final rule’s version of this provision specifies that it applies to reviews that are “not displayable” rather than “not displayed” as proposed.  The FTC explained that this will only cover reviews that consumers are “unable to view even if they were to sort or filter the reviews differently.”  The language of the final rule also makes clear that the legitimate reasons to suppress reviews enumerated in the rule is not exhaustive.
  • Misuse of Fake Indicators of Social Media Influence.  This provision prohibits selling or distributing fake indicators of social media influence that can be used to materially misrepresent influence or importance for a commercial purpose.  It also prohibits purchasing or procuring fake indicators of social media influence to misrepresent influence or importance for a commercial purpose.  The final rule defines “fake indicators of social media influence,” a previously undefined term, as “indicators of social media influence generated by bots, purported individual accounts not associated with a real individual, accounts created with a real individual’s personal information without their consent, or hijacked accounts, or that otherwise do not reflect a real individual’s or entity’s activities, opinions, findings, or experiences.”  This is a helpful change for businesses, as the FTC confirmed that “if a company awards legitimate indicators of influence to certain users upon satisfaction of objective criteria reflecting the influence of the users, the company would not be selling ‘fake’ indicators, even if bad actors were able to deceive the company.”  The final rule also introduces a “knew or should have known” knowledge standard.

If you have any questions about the final rule and compliance strategy, please reach out to Laura Kim, Ali Remick, or Jessica Ke.

On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog post, we describe the specific new requirements for the processing of health and social data using cloud-computing. We will also discuss whether the new rules may impact medical research and other projects that utilize cloud-computing for processing health data.

1. Scope and Background of Sec. 393 SGB V

The new Section 393 SGB V (Social Security Code – Book V) has been enacted with the recent “Digital Act” (see our earlier blog on the Digital Act). The title of Section 393 SGB V is “Cloud-Use in the Healthcare System“. Hence, it aims to impose specific requirements for healthcare service providers, statutory health insurances and their contract data processors when they process health data and social data using cloud-computing services. According to the German legislator, the provision aims at enabling the secure use of cloud services as a “modern, generally widespread technology in the healthcare sector and to create minimum technical standards for the use of IT systems based on cloud-computing”.

The new requirements apply to data processing using cloud-computing irrespective of whether the cloud-computing is offered by an external vendor or utilizes a tool that the healthcare providers or health insurance has developed on their own.

The term “cloud-computing service” is defined in the law as “a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations” (Section 384 Sentence 1 No. 5 SGB V). This reflects the corresponding definition of cloud-computing in Article 6 (30) of the NIS2-Directive (EU) 2022/2555 on cybersecurity measures. Services that fall under this definition include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

With regard to the terms “health data” and “data processing”, we refer to the corresponding provisions of the GDPR. As far as the new rule applies to “social data”, this term refers to a specific legal concept in Germany that applies to personal data that is intended to be processed by health and other social security insurances.

In terms of timing, the new Section 393 SGB V applies as from 1 July 2024 – without any transition or grace period or grandfathering rules.

2. Consequences for Healthcare Providers and Cloud Service Providers

Under Section 393 SGB V the processing of health data by using cloud-computing services is subject to special requirements. Intended to ensure data security, these requirements include that the data (a) may only be processed in certain geographical regions, (b) that technical and organizational measures are taken so that cloud service providers meet certain security requirements.

a) Geographical Requirements and Data Transfer Issues

Geographically, Section 393 SGB V requires that health and social data may only be processed

  • In Germany,
  • In an EU or EEA member state, or
  • In a third country under an adequacy decision by the European Commission.

Moreover, the new rules require for all these cases that the data processing entity has a business establishment (“Niederlassung”) in Germany.

In conclusion, and in contrast to the requirements under the EU GDPR, Section 393 SGB V does not recognize the execution of the EU Standard Contractual Clauses (SCCs) or other means like Binding Corporate Rules as adequate guarantees for cloud-computing services when personal data is processed in a third country that is not subject to an adequacy decision by the European Commission.

b) Stricter Technical and Security Compliance Requirements

From a technical and organizational viewpoint, under Section 393 SGB V the processing of health and social data using cloud-computing services is subject to stricter requirements. As such, data processing using cloud-computing services need to be in compliance with these key conditions:

  • Appropriate technical and organizational measures have to be implemented to ensure data security.
  • A current C5 certificate is issued to the data processing entity with regard to the “C5 basic criteria” (see below) for the cloud systems and the technology used. The C5 (Cloud Computing Compliance Controls Catalogue) certificate is a cloud-computing standard developed by the German Federal Office for Information Security (“BSI“) to ensure cloud service providers meet specific security requirements. It outlines a comprehensive set of controls covering areas like data protection, incident management, and compliance with legal obligations.
  • The cloud-computing customer (i.e., the healthcare providers and/or insurances) must implement the conditions and criteria specified in the C5 certificate test report that. The C5 standard expects a shared responsibility between the customers and the cloud-computing service provider.

Until 30 June 2025, a C5 Type 1 certificate is considered “current” under Section 393 (4) SGB V. Thereafter, a new C5 Type 2 certificate is required. Certifications meeting equivalent security levels to BSI C5 may also be acceptable if so specified in a government ordinance to be issued by the German Federal Ministry of Health.

With respect to healthcare providers and health insurance companies, there are also some further technical and organizational requirements which these persons and entities have to meet when using cloud-computing services. These partly depend on the type of healthcare provider or institution concerned.

3. Implications for Medical Research with Pharmaceuticals and Medical Devices

Whether the new Section 393 SGB V also impacts the data processing in medical research projects is not fully clear. From the black letter of the law, certain health data and some medical research projects could be subject to the new requirements of Section 393 SGB V.

A number of medical and clinical research projects typically process health data from patients that are or were treated under the statutory health system. These projects especially include non-interventional studies with pharmaceuticals, post-market clinical follow up (PMCF) investigations with medical devices as well as registry studies that focus on a particular product or disease. Generally, research that involves real-world-data or aims to generate real-world-data appears relevant hereunder. Even clinical trials regularly process data from regular medical treatments that are conducted in the statutory health system so that the health data falls under Section 393 SGB V.

Therefore, the question arises whether the processing of health data for such medical research projects by healthcare providers and sponsor companies and their data processors (e.g., CROs) is also subject to the new compliance requirements of Section 393 SGB V if they use cloud-computing. The answer to this question is not straightforward but rather case-facts-dependent and requires a careful analysis of the individual circumstances.

While the risk appears low that clinical trials with pharmaceuticals, medical devices and diagnostics will be impacted by Section 393 SGB V, the situation appears different for studies that collect real-world data like non-interventional studies, PMCF studies or product/disease registries. For these, there is a risk that they may be subject to the requirements of Section 393 SGB V.

Relevant aspects to make an assessment for the respective research projects include the type of study/research, the origin of the processed health data, the technologies used for data processing and the legal status of the person processing the data.

4. Final remarks

With the new Section 393 SGB V, Germany has enacted new compliance and security requirements for the processing of health data when using cloud-computing services. The new requirements apply to healthcare providers, health insurances and their data processors and cloud-computing service providers that offer services to these groups. In this blog post, we have described the new technical, organizational and compliance requirements.

The new rules may also impact certain medical research projects that process (real-world) health data by using cloud-computing services. Such projects can include non-interventional studies with pharmaceuticals, PMCF studies with medical devices or (product/disease-focused) registry studies. Therefore, pharmaceutical and medical device companies should also review the potential impact of the new rules on their research activities.

The Life Sciences Team of Covington & Burling LLP in Frankfurt (Germany) will continue monitoring the developments in this area and is well positioned to assist clients in navigating through the various ongoing and upcoming legislative projects.

***

Minnesota and Rhode Island are the latest states to pass comprehensive privacy legislation, joining a number of states who have enacted similar laws.  This blog post summarizes the statutes’ key takeaways.

Continue Reading Minnesota and Rhode Island Pass Comprehensive Privacy Legislation

On August 1, 2024, the Office of the New York State Attorney General (OAG) released two Advanced Notices of Proposed Rulemaking (ANPRM) for the SAFE for Kids Act and the NY Child Data Protection Act. These ANPRMs solicit input that will help the OAG promulgate regulations in three areas: (1) identifying “commercially reasonable and technically feasible methods” to determine if a user is a minor; (2) identifying methods of obtaining verifiable parental consent; and (3) promulgating any needed language access regulations.

The two laws forming the basis for the rulemaking were enacted on June 20, 2024. The Stop Addictive Feeds Exploitation (SAFE) For Kids Act and the New York Child Data Protection Act contain broad requirements applicable to some companies offering services to children, as explained further below.

Continue Reading New York Begins Rulemaking for Two Children’s Data Privacy Laws

This update focuses on how growing quantum sector investment in the UK and US is leading to the development and commercialization of quantum computing technologies with the potential to revolutionize and disrupt key sectors.  This is a fast-growing area that is seeing significant levels of public and private investment activity.  We take a look at how approaches differ in the UK and US, and discuss how a concerted, international effort is needed both to realize the full potential of quantum technologies and to mitigate new risks that may arise as the technology matures.

Quantum Computing

Quantum computing uses quantum mechanics principles to solve certain complex mathematical problems faster than classical computers.  Whilst classical computers use binary “bits” to perform calculations, quantum computers use quantum bits (“qubits”).  The value of a bit can only be zero or one, whereas a qubit can exist as zero, one, or a combination of both states (a phenomenon known as superposition) allowing quantum computers to solve certain problems exponentially faster than classical computers. 

The applications of quantum technologies are wide-ranging and quantum computing has the potential to revolutionize many sectors, including life-sciences, climate and weather modelling, financial portfolio management and artificial intelligence (“AI”).  However, advances in quantum computing may also lead to some risks, the most significant being to data protection.  Hackers could exploit the ability of quantum computing to solve complex mathematical problems at high speeds to break currently used cryptography methods and access personal and sensitive data. 

This is a rapidly developing area that governments are only just turning their attention to.  Governments are focusing not just on “quantum-readiness” and countering the emerging threats that quantum computing will present in the hands of bad actors (the US, for instance, is planning the migration of sensitive data to post-quantum encryption), but also on ramping up investment and growth in quantum technologies. 

Continue Reading Quantum Computing: Developments in the UK and US

The New York Office of Attorney General (OAG) recently published guidance for website privacy controls. Although New York does not have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the OAG noted that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”

Continue Reading New York AG Issues Guidance on Website Privacy Controls

On August 2, 2024, Illinois’ governor signed into law S.B. 2979, a significant amendment to the Illinois Biometric Information Privacy Act (BIPA). The law states that an entity that, in more than one instance, obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of BIPA’s notice and consent requirement has committed a single violation. As a result, each aggrieved person is entitled to, at most, one recovery for a single collective violation.

Continue Reading Illinois Enacts BIPA Amendment Limiting Violation Accrual

This quarterly update highlights key legislative, regulatory, and litigation developments in the second quarter of 2024 related to artificial intelligence (“AI”), connected and automated vehicles (“CAVs”), and data privacy and cybersecurity. 

Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Second Quarter 2024