Data Protection / Privacy 13/15

Schrems' Day in Court in Ireland Once Again

Mar 17, 2017

The Tip of the Night for October 11, 2015, described the ruling of the EU Court of Justice in Schrems v. Data Protection Commissioner. The Irish Data Protection Commissioner had rejected a claim by Schrems that the American data protection scheme did not provide the level of protection required under EU privacy law. The EU Court of Justice overturned this ruling, in effect invalidating the safe harbor scheme developed by the United States Department of Commerce for allowing the transfer of personal data to the United States under EU privacy law.

On December 1, 2015, Schrems filed an update to his initial complaint against Facebook with Ireland's Data Protection Commissioner against Facebook. Schrems' position is that Facebook's Standard Contractual Clauses should not provide an alternate means of transferring data outside of the safe harbor scheme, and the Irish Data Protection Commissioner agreed with him. The case is now under review by the Irish High Court before Judge Caroline Costello, who may uphold the DPC's decision and refer the case to the Court of Justice of the European Union. Facebook's right to transfer data under the SCCs has not been suspended for the time being. The trial before the High Court concluded on March 15, 2017. The court may decide that the question of the validity of the SCCs should be heard by the Court of Justice of the European Union. Check this page on the site of Ireland's Data Protection Commissioner for a final ruling in the case.

Sedona Conference Primer on Data Privacy - Part 3

Jan 31, 2017

Here's the conclusion of my outline of the Sedona Conference's Data Privacy Primer, which I last blogged about on January 22, 2017.

B. Fair Credit Reporting Act

1. Overview

a. Enacted in 1970 to regulate consumer reporting industry such as Equifax, TransUnion, Experian, and others.

2. Duties of Consumer Reporting Agencies

(1) Accuracy

(2) Disclosure [all information in the file]

(3) Investigation [must conduct investigation when consumer questions accuracy]

(4) Free Consumer Reports [at least once a year];

(5) Permissible Uses

i. court order or subpoena

ii. to person who the report pertains

iii. use report in connection with extension of credit, employment, insurance underwriting, licensing or conferring of government benefits, legitimate business need.

iv. capacity to pay child support.

v. agency administering child support plan

vi. to FDIC or NCUA

c. Individual can opt out of sharing of information with affiliate.

3. Furnishers of Information to CRAs

Individuals can dispute accuracy of information furnished to the CRA and the furnisher must notify the CRA.

4. Users of Consumer Reports

The FCRA provides that a person may not procure a consumer report for employment purposes unless the employer or potential employer discloses in writing to the consumer that a report is to be obtained and the consumer authorizes in writing that a report can be obtained.

5. Limitations on Information Contained in Credit Reports

No CRA can make a consumer report containing any of the following information:

1. Bankrupcty cases more than 10 years old.

2. Civil suits older than 7 years, or those for which the statute of limitations has expired.

3. Tax liens older than 7 years.

4. Accounts placed for collection older than 7 years.

5. Any other adverse information other than a conviction record which is more than 7 years old.

6. Contact information for any medical information furnisher.

These restrictions are not applicable in credit transactions for more than $150,000; insurance agreements with a face amount of $150,000; and jobs with a salary of more than $75,000.

6. Private Rights of Action and Damages

Consumers have a private remedy against “negligent or willful misconduct by a furnisher” of consumer credit information, this right only arises once the furnisher has received a notice from the CRA disputing the accuracy or completeness of the information provided. The FCRA’s statute of limitations extends to two years after the date when plaintiff discovers the violation or five years af-ter the date of the violation, whichever occurs earlier.

7. Rulemaking and Enforcement

FCRA is enforced by the FTC and the CFPB.

C. Right to Financial Privacy Act of 1978

Individual had no individual right of privacy in his or her financial records (United States v. Miller) according to court decisions, so Congress enacted Right to Financial Privacy Act of 1978.

1. Overview of RFPA

Only applies to federal agencies. Covers card issuers. Companies of more than five individuals are not covered.

2. Obligations of RFPA

(a) Limitations on Federal Government Requests

Must state specific basis for request. Can't transfer to other federal agency except for law enforcement purposes and intelligence.

(b) Financial Institution's Obligations

Upon receipt of government request, financial institution must obtain individual consent, and can't make this consent on condition on which it will do business with the individual.

3. Civil Penalties for Non-Compliance

Liability can equal $100 regardless of the number of records; actual damages; punitive damages; and costs of the action. Financial institutions have immunity for disclosures made for reports such as the Suspicious Activity Report (SAR) with Financial Crimes Enforcement Network.

VII. WORKPLACE PRIVACY

A. Legal Framework

1. Regulatory Protections

Electronic Communications Privacy Act prohibits interception of communications while in transit or stored on computers. Business can monitor employee communications on a business provided device.

2. U.S. Constitution

A pivotal determination in cases involving governmental invasion of privacy is whether the government employee has a reasonable expectation of privacy in relation to the conduct of the governmental employer.

3. State Issues

Connecticut and Delaware require employers to give notice before monitoring employee communications.

B. Use of Computer Equipment and Email

City of Ontario v. Quon (U.S. 2010)- government search of employee texts was reasonable since measures were reasonably related to methods, and was justified at its inception. Many court decisions have found that employers can monitor communications on company provided devices. In addition to ownership of the device, courts consider the existence and scope of a company’s computer usage policy, steps taken by the employee to maintain the privacy of personal emails, the use of the company-owned computer system, and the content of the communication at issue.

C. Bring Your Own Device Policies

Rajaee v. Design Tech (S.D. Tex 2014) employee who used his own phone for business could not bring claim under ECPA after data (including personal data) was wiped on his private device by his employer.

D. Social Media Privacy

Costly and protracted risks associated with social media.

1. Passwords and Other Login Information

19 states have passed laws that prevent employers from requiring employees to hand over login information for social media sites.

2. Content Monitoring

Ehling v. Monmouth (D.N.J. 2013) Stored Communications Act was not violated when employer uses private data on Facebook as grounds for suspension that it only had access to through employee's Facebook friend. NLRB concluded that Costco was in violation of the National Labor Rela-tions Act (NLRA) by maintaining and enforcing a rule prohibiting employees from electronically damaging the company or any employee’s reputation.

VIII. STUDENT PRIVACY

A. Family Educational Rights and Privacy Act

Educational records cannot be transferred without student or parental consent. Rights transfer at 18. However institutions can disclose directory information.

Consent not required when all PII has been removed that student cannot be identified.

Children's Online Privacy Protection Act (COPPA) - 1998 - governs online collection of data about children. - FTC says under COPPA service providers can accept educational institution has obtained consent when collecting information.

Institutions must provide access to records to students within 45 days of the receipt of a request. No private right of action for a violation; must file a compliant with the Family Policy Compliance Office.

B. Protection of Pupil Rights Amendment

Prevents schools and third parties from learning certain information about students. The PPRA requires institutions that receive Department of Education funding to develop policies on parents' right to inspect surveys; right to inspect instructional material; opt out of non-emergency physical exams; opt out of collection of information for marketing purposes.

PPRA does not provide a private right of action. Must file compliant with Family Policy Compliance Office within Department of Education.

C. State Laws

In 2015, 14 states enacted legislation addressing the privacy rights of students.

Sedona Conference Primer on Data Privacy - Part 2

Jan 22, 2017

Here's a continuation of my outline of the Sedona Conference's Data Privacy Primer, which I last blogged about on January 16, 2017.

IV. GENERAL CONSUMER PROTECTION

A. Federal Privacy Statutes of General Applicability

1. Federal Trade Commission Act

Section 5 actions against entities that fail to protect consumer privacy and fail to properly secure personal information. E.g., August 2015, the FTC announced settlements with 13 companies that claimed to be current participants in the now defunct EU-US Safe Harbor Framework but whose certifications had either lapsed or never been submitted.

2. Children’s Online Privacy Protection Act (COPPA)

protects PII of children under 13 - websites can't collect.

3. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)

- prohibits deceptive header information in spam.

- requires method to opt out of further messages.

- For email messages containing sexually oriented material, the first 19 characters on the subject line must be, in all caps and as depicted “SEXUALLY-EXPLICIT:” and that same phrase must also appear when the email is opened.

4. Telemarketing Act

a. prohibits abusive or coercive calls.

b. restricts the hours of the day unsolicited calls may be made.

c. promptly disclose the purpose of the call.

d. Telemarketing Sales Rule - FTC can address at its discretion deceptive telemarketing practices. Setup Do Not Call Registry.

5. Communications Act of 1934

a. Covers Consumer Proprietary Network Information made available by the consumer to the carrier solely by virtue of their relationship; billing information, but not subscriber list information.

b. FCC Declaratory Ruling CPNI applies to information stored in mobile devices when the carriers have access to that information.

c. Feb. 2015 FCC order - ISPs made common carriers and imposed privacy and data security protections on them. Can only discloe CPNI only to the extent necessary to provide telecommunications services. Regulations also require customer approval and incident notification and response requirements. Must notify FBI of breach within 7 days.

d. FCC - failure to secure personal information violates statutory duty. April 2015 $25M civil penalty against AT&T. $7.6M penalty on Verizon for failure to generate opt-out notices.

6. Telephone Consumer Protection Act of 1991

a. Prevents telemarketing to hospitals, nursing homes and emergency lines; prerecorded telemarketing calls to residences; unsolicited ads via fax; making solicitations outside the hours of 8 AM to 9 PM.

b. June 2015 FCC Declaratory Ruling and Order - text messages require consent. Call blocking technology can be used by carriers to prevent robocalls. Some pro-consumer financial and healthcare messages are exempt.

B. State Statutes of General Applicability

1. Disclosure of PII by Non-Governmental Entities

a. California law prevents information on a credit report which is the result of identity theft, and sharing PII without the customer's consent.

2. Use of Consumer PII for Marketing Purposes

a. California 'Shine the Light' statute- customer right to know how their PII is shared and to opt out.

3. Data Disposal Requirements

California law requires businesses to shred, erase, or modify the PII when disposing of consumer records under their control.

4. Digital Assets After Death

Estate representative can gain access; In Nevada, however, the executor of the person’s estate is only granted authority to terminate the accounts.

5. Children's Online Privacy

California’s Privacy Rights for California Minors in the Digital World Act allows minors to request and obtain the removal of content about them posted on a website or other online application.

6. Breach Notification and Data Security Laws

47 states have laws requiring notification when there is unauthorized access of PII.

V. HEALTH

A. HIPAA

1. Overview of HIPAA Privacy and Security Rules

a. Health Insurance Portability and Accountability Act of 1996.

b. HIPAA Privacy Rule of 2000 - prohibits the unauthorized disclosure of protected health information (PHI).

c. HIPAA Security Rule of 2003 - safeguards for the protection of electronic healthcare information. A risk analysis is required.

2. Protected Health Information and De-Identification Standard

a. Safe Harbor Method - removal of all 18 HIPAA identifiers

b. Expert Determination Method - statistical analysis to insure there is little risk of re-identification.

3. Uses and Disclosures of PHI - authorization must disclose the use of the information., and statement regarding the individual's right to revoke the information.

a. can be disclosed to HHS for compliance investigation or enforcement action.

b. minimum necessary requirement.

c. exceptions to general requirement for authorization:

1. to individual

2. treatment or payment operations

3. when individual has opportunity to agree or object.

4. public health activities.

5. judicial and administrative proceedings.

6. law enforcement

7. facilitate organ transplants

8. essential government functions.

d. Consent required before disclosure of PHI for research purposes, but there are exceptions - Institutional Review Board - if research cannot be practicably conducted; Limited Data Set - indirect indentifiers may be used.

4. Notice of Privacy Practices (NPP)

5. Rights of Access, Amendment and Disclosure Accounting

individuals have a right to an accounting of the disclosure of their PHI to a covered entity’s business associates made in the preceding six years.

6. Administrative Requirements

a. Privacy Officer is responsible for developing policies and procedures.

b. sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule;

c. mitigating any harmful effect that may be caused by an improper use or disclosure of PHI

7. Breach Notification Under Health Information Technology for Economic and Clinical Health (HITECH) Act

a. HIPAA violation liability is extended to business associates to whom protected health information is disclosed

b. An impermissible use/disclosure is now presumed to be a breach unless it is shown, based upon a risk assessment, that there is a low probability of PHI being compromised.

c. Maximum penalty of $1.5 M per violation.

8. Audits

a. 2011 audit reveals the vast majority of covered entities failed to comply with mandatory HIPAA requirements.

9. Enforcement

a. HHS Office of Civil Rights enforces HIPAA. E.g., February 2015, health insurer Anthem suffered a breach involving 80 million current and former members, the largest ever disclosed by a healthcare company, which affected customers of all products lines, including Anthem Blue Cross, and Anthem Blue Cross and Blue Shield. The breach prompted a multi-state in-surance regulator investigation and more than 50 putative class action lawsuits.

B. State Laws on Privacy of Health Information

1. Alaska Genetic Privacy Act

DNA samples can't be collected without an individual's informed consent. But the law arguably has no application to routine tests a person could obtain at most doctors’ offices, and has exemptions for law enforcement and paternity testing. Statute has only been invoked rarely.

2. California Confidentiality of Medical Information Act

a. the statute expressly includes “other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”

b. CMIA also expressly permits a psychotherapist to disclose information if he or she believes, in good faith, that “disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a reasonably foreseeable victim or victims, and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.”

c. Affirmative defense available if defendant issues notification; no medical identity theft; preventive actions were taken to protect the information including encryption; corrective action taken; and recipient did use the records and returned them promptly.

d. California Court of Appeals ruled that negligent storage of information does not create a cause of action, and that there is no cause of action if an unauthorized person does not view the information.

3. Texas Medical Privacy Act

a. The Texas law broadens HIPAA’s definition of “covered entity” to include any person who “comes into possession” of PHI.

b. The Texas law broadly prohibits the sale of PHI. The only exceptions to the prohibition on receiving direct or indirect remuneration in exchange of a disclosure of PHI are that a covered entity may disclose PHI to another covered entity for the purposes of treatment, payment, health care operations, certain insurance functions defined by statute, or as otherwise authorized or required by state or federal law.

c. No cause of action by individuals for disclosure.

VI. FINANCIAL

A. The Gramm-Leach-Bliley Act

1. Overview of GLBA

a. Broke down barriers between financial services entities such as banks and securities firms.

b. Customer [entity with long term relationship]/ consumer [individual who uses services for personal reasons] distinction

2. Information Protected by GLBA

“personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution

3. Obligations of GLBA

a. Safeguard Rules - internal handing of information.

b. Privacy Rules - use and sharing of information

c. Notification Obligations - Customers receive notifications automatically when policies are changed, but consumers only information is shared with a third party.

d. Non-affiliated Parties - Section 6802 prohibits sharing of information with some exceptions such as for marketing purposes, financial services offered through joint agreements, for fraud detection, or with regulatory agencies.

e. Model Privacy Form - section 6804 allows agencies to prepare these forms which can provide safe harbor.

4. Relationships with State Regulations

Section 6807 states that no provision of GLBA supersedes any State statute or regulation. Bureau of Consumer Financial Protection determines if state regulations are inconsistent with GLBA.

a. California Financial Information Privacy Act- covers consumers who don't have continuous relationships with financial institutions.

5. Rulemaking and Enforcement

a. After Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010 CFPB takes over rulemaking from FTC. The GLBA is enforced by federal banking agencies and other federal regulatory authorities as well as state insurance authorities. The GLBA Privacy Rule is enforced by the FTC.