Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.
These are big questions, reflecting some of the practical concerns in our international marketplace. The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad. We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces. This month’s edition: Privacy Considerations – follow the rest of the series at Innocents Abroad.
From: Carrie Counselor
To: Ned Help
Date: May 24, 2016
RE: Privacy considerations for employees working abroad
I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy. Great question! This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.
Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.
What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers. Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home. Let’s talk specifics: Continue Reading
Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings
In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.
This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS is administered by the PCI SSC, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
The newly published version, PCI DSS version 3.2 (PCI DSS 3.2), contains the following three types of changes: Continue Reading
We now have a precise date for the European Union’s General Data Protection Regulation to go into effect: May 25, 2018. The official version has been published and is available here. The GDPR, in its official published version, contains 87 densely-packed pages of recitals and articles, and many new and expanded obligations for both “controllers” and “processors” of personal data. Many companies will need the full two years’ lead time to bring their operations and contracts into compliance. (Read our bullet point summary here.)
If you have had to provide data breach notices across any number of states (and who hasn’t….), you would know that they vary widely in how those notices must be provided to state regulators. In some states (for example, California, North Carolina, Indiana, and New York), the Attorney General’s office has established an online portal that must be used for breach notices. In still other states, notice letters must be sent to one or multiple regulators.
Pursuant to the Massachusetts data breach notification statute, M.G.L. 93H, notices must be provided to the affected resident, the Attorney General’s office and to the Office of Consumer Affairs and Business Regulation (OCABR). It is not enough that Massachusetts has a sui generis breach notice content statutory requirement (you must tell affected residents of the breach, but you can’t tell them about the breach), now the OCABR has created its own notice submission portal that is a separate form and not just a place to upload a copy of the AG notice. A letter sent out earlier this month also says “It is important to note that this electronic submission form only satisfies the notification requirement for OCABR. The submission does not relieve businesses of their legal obligation to separately notify the AGO and the affected Massachusetts residents.”
Make sure you update your incident response plan to account for this additional notice requirement.
At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.
The protocol covers the following subject areas:
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Breach Notification Rule requirements.
OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.
Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate’s name, contact information, type of services, and website.
Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.
As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment. Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice. In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.
Originally posted to Mintz Levin’s Health Law & Policy Matters Blog on 4/20/16
The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.
Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here). We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.
UPDATE: The Article 29 Working Party has released surprisingly brief comments on Privacy Shield, available here. Consistent with the press briefing held earlier today (see below), WP29 has concluded that Privacy Shield falls short without providing specific guidance as to what, exactly, an acceptable version of Privacy Shield would look like.
Earlier today, the Article 29 Working Party (“WP29”) held a press conference to give a preview of its assessment of the proposed EU-US Privacy Shield arrangements that were slated to replace the struck-down Safe Harbor program and bring much-needed certainty to companies that transfer personal data from the EU to the US.
While full comments will be available later today, we know now that WP29 has declined to give Privacy Shield its support. It appears that WP29 has serious concerns about the limitations of US national security agencies to conduct mass surveillance. WP29 is also skeptical about the rights of redress for EU residents and would prefer that EU residents be able to bring complaints immediately via their local EU data protection authorities. We will cover the WP29 assessment more fully during our webinar on Thursday, April 14. Register here. In the meantime, for those who would like to listen to the press briefing, an audio recording is available here: https://scic.ec.europa.eu/streaming/article-29-working-party
As we reported last month, the FCC was preparing a proposed rulemaking (NPRM) to establish privacy and data security requirements for broadband internet access service (BIAS) providers. The FCC has now released that proposal with comments and reply comments due May 27th and June 27th respectively.
The brief background to this proposal is that in 2015, the FCC adopted net neutrality rules in Open Internet Order, which reclassified BIAS as a common carrier telecommunications service subject to regulation under Title II of the Communications Act. The Commission determined that, as a consequence of reclassification, Section 222 of the Communications Act, which is part of Title II, would now apply to BIAS providers. Section 222 regulates a telecommunications carrier’s use and disclosure of Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. The FCC concluded in its Open Internet Order that the rules implementing Section 222 were telephone-centric and ill-suited to BIAS, and so chose to forbear from applying those rules to ISPs. With this latest release, the FCC is proposing a new set of rules implementing Section 222 that would apply to BIAS providers. Continue Reading
Everyone loves a good courtroom drama. So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system. Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees. Their most intimate secrets, spilled over the Internet. Who can help these poor souls? Why, the brave and hard working class action lawyers, that’s who. Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice. Think “The Manchurian Candidate” meets “Erin Brockovitch.”
But real life is rarely like the movies, even when it involves the movies. Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”). The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. And class action litigation predictably followed. But the evil wrongdoers who faced the wrath of class counsel? Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime. So SPE, the studio victimized by the hack, would have to do. Continue Reading