On Friday, the heads of the Federal Trade Commission overruled the decision of the Administrative Law Judge (“ALJ”) in In the Matter of LabMd., Inc. The FTC concluded that the ALJ had erred in dismissing the Commission’s case against a lab testing company LabMD and misapplied the unfairness standard. The key determination by the FTC was that the mere disclosure of sensitive medical information is cognizable harm under Section 5(c) of the FTC Act, 15 U.S.C. § 45(a), irrespective of whether there is further economic or physical harm. What does this mean for privacy enforcement? Read on. Continue Reading FTC Plants A Flag With LabMD Ruling: What This Means for Enforcement
Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation. There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers. Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content
FCC Chairman Tom Wheeler has announced that a proposed rulemaking is being circulated among the Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS). The Notice of Proposed Rulemaking (NPRM) itself will not be released to the public until the end of March when it is scheduled for a vote, but Chairman Wheeler released a summary of his proposal on Thursday.
In adopting the Open Internet Order, which reclassified BIAS as a telecommunications service subject to Title II of the Communications Act, the FCC determined that the privacy provisions of Section 222 of the Communications Act that govern how call detail and call record information are used and protected by providers of telecommunications services also would apply to BIAS providers. The Commission concluded, however, that its rules implementing the privacy provisions of that Title were ill-suited for broadband privacy, and opted to forbear from applying those rules to BIAS providers. Instead, the Commission stated that it would establish a new privacy framework applicable to BIAS providers, and last week’s announcement represents the start of that process. Continue Reading FCC Announces Broadband Privacy Proposal
The amended Judicial Redress Act has passed the House and is on its way to the president to be signed into law. The Act, which we covered in an earlier blog post, gives citizens of foreign countries the same rights as US citizens in connection with the use by the US government of their personal data, subject to a determination by the Attorney General that the country in question cooperates with the US in sharing law enforcement information, doesn’t impede the flow of personal data to the US for commercial purposes, and meets certain other requirements. Essentially, the Judicial Redress Act helps assuage the EU’s concerns about government uses of personal data. The Judicial Redress Act is vital for the EU’s acceptance of the Umbrella Agreement for sharing of data by law enforcement agencies. It should be helpful for the proposed new “Privacy Shield,” which is currently under review by representatives of Europe’s national data protection agencies.
If you would like to learn more about the politics and law behind the current Safe Harbor 2.0 negotiations, download the podcast of Running Aground in the Surveillance Safe Harbor, a teleforum hosted by the Federalist Society. The podcast features moderator Matthew R.A. Heiman, Vice President, Chief Compliance & Audit Officer, Tyco International; Stewart A. Baker, Partner, Steptoe & Johnson LLP and former Assistant Secretary for Policy at the Department of Homeland Security; and Susan Foster, a solicitor in England & Wales whose practice bridges the UK and US perspectives on data protection matters. Podcast made available through kind permission of the Federalist Society.
One of the fascinating aspects of the privacy-related negotiations between the EU and the US over the past couple of years has been the EU’s efforts to decouple trade (e.g, TTIP) and security-related negotiations from the Safe Harbor 2.0 negotiations. The US Senate’s Judiciary Committee pushed back firmly on that yesterday when it adopted amendments to the Judicial Redress Act, which the EU requires to be passed before it will sign the Umbrella Agreement between the US and EU relating to the sharing of crime-related information between law enforcement authorities. The basic aim of the Judicial Redress Act is to give EU citizens the same rights as US citizens under the United States’ Privacy Act of 1974. The European Commission has said a number of times that passage of the Judicial Redress Act was a step in the right direction for Safe Harbor 2.0 (without saying it was enough to fully address the Commission’s concerns). Continue Reading Tying it all together: Safe Harbor and Security-Related Data Flows
There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries are in the top twenty (Canada is in twelfth place). Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?
The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court. The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices. Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.
The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards. The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).
Those provisions include Wyndham agreeing to undertake the following:
- • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
- • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
- • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
- • Provide all assessments to FTC;
- • Keep records relied on to prepare each annual assessment for three years; and
- • Submit to compliance monitoring by the FTC.
Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.
UPDATE: Here’s a link to the English-language version of the ECJ’s full decision: Schrems Safe Harbor Decision
A press release issued by the Court of Justice of the EU (ECJ) regarding its decision in the Schrems Safe Harbor case (C-362/14) confirms that the ECJ has declared Safe Harbor invalid. The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program. We are awaiting publication of the decision and will report further after it becomes available.
In the meantime, here’s the background to this decision and some suggestions for what to do next if your company relies on Safe Harbor:
The European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection. The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.
Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.
If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible. The primary options are:
- Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid. It’s also important to keep records of the consent in case there’s a challenge.
- Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more). So while this is a longer term option, it won’t help if Safe Harbor is not available. Also, BCRs are vulnerable on the same grounds as Safe Harbor.
- Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. However, see the cautions below.
- In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office.
There’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option: BCRs and model contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU. If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts (and UK adequacy determinations) would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.
Rather than our usual Privacy Monday “bits and bytes,” we have a breaking story relating to the ongoing Wyndham/FTC saga.
Today, Wyndham Worldwide Corp. lost a critical round in the Third Circuit. Anticipated since April, 2014, the three-judge panel upheld U.S. District Judge Esther Salas’ ruling that the Federal Trade Commission (FTC) has the authority under the “unfairness” prong of Section 5 of the FTC Act to bring suit against companies over data security practices.
For all the background leading up to today’s ruling, we send you back to our April 2014 post summarizing Judge Salas’ ruling and a recap of the entire case history, going back to June 2012 when the FTC filed its complaint. The FTC originally alleged that Wyndham had engaged both in unfair and deceptive business practices in violation of Section 5 by failing to maintain reasonable and appropriate security measures. The alleged security failures led to at least three data breaches between April 2001 and January 2010, exposing consumer data and payment card account numbers. Wyndham has been fighting back all along the way, using this case to oppose the FTC’s authority and claiming that the agency exceeded statutory powers.
The appeals court said that Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform….[T]he company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts.”
This precedential opinion squarely rejects Wyndham’s argument that the FTC exceeded its statutory authority and Congress never intended for the commission to be able to use its Section 5 powers to police “failures to institute voluntary industry best practices” and virtually ensures the position of the FTC as “top cop” for data privacy and security regulation.