Electronic Discovery Institute Course - Class 17 - Data Privacy
Here's a continuation of my postings about the Electronic Discovery Institute's online e-discovery certification program, that you can subscribe to for just $1. I last blogged about this program on January 19, 2018. Go to https://www.lawinstitute.org/ to sign up for it.
This course on Data Privacy is taught by David Moncure, legal counsel for Shell Oil; Erin Pope, Chief Privacy Officer for Golden Living; and Christina Ayiotis an attorney specializing in privacy and data protection.
Introduction & Overview
Data privacy rules concern personal data, not business information. A document that contains some personal information, may still be produced if it has business information. Private information may also include the trade secrets and intellectual property of a business. There may be technical solutions, such as digital rights management, that will allow parties to only access the information they need.
Companies are gathering more information on both their employees and customers than ever before. There are more than 100 countries with privacy regulations - up by 50% from 10 years ago. There are special rules governing, PHI, personal health information, and PII, personally identitable information.
Personal data means anything that can identify a person - even an IP address from a computer. Sensitive personal information, includes biometric, health, criminal and other types of information.
Data Privacy in the Corporate Context
Corporations must have special procedures in place for storing personal information.
Data Breach and Cybersecurity
A data breach is a legal term of art - a specific definition under statutes.
There is usually a lot of co-mingling of data in different systems in any one business. Cybersecurity must properly address the protection of multiple networks. Cybersecurity must be accompanied by physical security and personnel security. New employees must be assessed as potential bad actors.
Data Privacy Laws & Breach Notification Requirements
There are many state specific laws addressing breach notification. The Gramm-Leach-Bliley Act addresses the privacy of financial information. Regulations called PCI standards govern the protection of credit card information. There is no overarching federal law governing privacy. There are federal laws concerning banking and healthcare which address privacy concerns. These various laws are not necessarily consistent. Some address only ESI, where others also cover hard copy records.
United States Privacy Framework
The FTC has general jurisdiction over unfair and deceptive practices. The HHS has jurisdiction over healthcare entities. Privacy issues can be addressed by these agencies.
There is a proposal to impose a federal standard, but this is objected to by some states that have more comprehensive rules for data privacy. Massachusetts has a law requiring the personal information of its citizens to be encrypted in some cases.
There are growing concerns about keeping information private in legal proceedings. A protective order may be issued to protect the personal data of individuals.
Law enforcement agencies used to have carte blanche access to the information held by companies. This has changed due to the Snowden revelations and the Schrems case. The U.S. Department of Commerce's safe harbor program was invalidated by the Schrems case. The U.S. / E.U. privacy shield is a new mechanism allowing for the transfer of personal data.
If a server is in a particular location, law enforcement will need a warrant to access the information on it. There are some circumstances where law enforcement can get information from service providers and prevent them from disclosing to their customers that the data has been accessed.
Health Insurance Portability & Accountability Act
HIPAA requires doctors and pharmacies to give patients privacy notices. A person's medical condition is covered by the privacy requirements of HIPAA. It requires that patients be informed if a breach occurs. The notice must indicate when the breach occurred and what steps are being taken to remedy the situation.
The portability aspect of the law allows patients to move their medical records from one healthcare provider to another. Some information is excluded from the requirements of HIPAA.
The EU, Canada, and Australia all recognize that an individual has the right to control information about themselves. Silicon Valley companies may be a force in preventing lawmakers from giving Americans more rights to control data about themselves.
HIPAA makes a distinction between secured and unsecured data. If data has been secured through encryption, the same reporting obligations won't apply in the event of a breach. There are different types of encryption. Data may be encrypted in motion or at rest.
Cloud data stored in Europe may not be fully transferable to the United States because of data privacy regulations there.
People tend to regard social media data as being private even thought it is publicly available.
International Data Privacy
The European Union has very strict rules with respect to processing personal data, and transferring it out of the EU. Data can be transferred out of the EU in one of four ways.
1. Safe Harbor program.
2. Personal consent.
3. Model clauses - in agreements between service providers and their customers.
4. Binding corporate rules - companies' internal policies approved by regulators allowing for the flow of data.
The General Data Protection Regulation will be effective in May of 2018. Any business that deals with EU citizens will have to comply with the GDPR. Companies must have data privacy officers.
The GDPR includes the right to be forgotten. An individual can force a company to erase the data that it has about them.
In the Asia Pacific region, there is an overarching privacy framework, but it is not mandatory.
Canada has a privacy scheme similar to that of the European Union. There are federal level privacy protections given to individuals. Data can be transferred from Canada to the EU more easily than it can be transferred from the United States.
Argentina has been recognized by the EU as a country which has adequate data protections.
Best Practices & Conclusions
One should always keep track of what data is collected, from whom it is collected, and where the collected data is stored.
One of the easiest methods of compliance with the GDPR will be binding corporate rules.
Bear in mind that technology will always outpace the law.