This month, the Federal Trade Commission (FTC) issued guidance on privacy and security best practices for health-related mobile apps, such as fitness apps connected with wearables, diet and weight loss apps, and health insurance portals. At the same time, the FTC unveiled an interactive tool designed to direct health app developers to federal laws and regulations that may apply to their apps. The Mobile Health Apps Interactive Tool, which is the product of collaboration among the FTC, Department of Health and Human Services’ Office of National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), and the Food and Drug Administration (FDA), seeks to unify guidance in a space governed by a complicated web of legal requirements. It also signals the continued focus of regulators on the protection of consumer health information in this rapidly evolving space.
On Wednesday, the EU’s Article 29 Working Party issued its much-anticipated statement on the viability of the proposed EU-US Privacy Shield. As we’ve detailed previously, EU and US officials reached agreement on the Privacy Shield arrangement, which was meant to serve as a replacement for the invalidated Safe Harbor program, back in February, and released details of the Privacy Shield scheme a few weeks later. Observers then began eagerly awaiting the Article 29 Working Party’s opinion on the Privacy Shield, because even though the group’s opinion is not binding on the European Commission – which is responsible for shepherding the Privacy Shield through the approval and adoption process – it nevertheless may prove influential as that process moves forward. Continue Reading
After a decade of winding its way through the legislative process, Turkey’s new Data Protection Law entered into force on April 7. Although Turkey previously had a few sectoral data protection laws on the books, this is the first time the country has had an omnibus data protection law. Although details remain somewhat scant at this point, this new law deserves the attention of any company that conducts business in Turkey or collects the personal data of customers, employees, or other individuals located in Turkey.
The recently released Carlton Fields 2016 Class Action Survey reports that class actions are up for the first time in four years. While data privacy class actions still make up a relatively small portion of class action filings, their growth is expected to continue.
As class actions increase, arbitration clauses remain a popular first line of defense. The Carlton Survey reported that nearly 50 percent of companies employ arbitration clauses that address class actions. Still, enforcing such arbitration clauses often generates mini-litigations in their own right. Two recent decisions from the Fourth Circuit are of interest in this regard.
Co-authored by Geoffrey Roche
On March 10, 2016, the French data protection agency (« CNIL ») pronounced a €100.000 ($111,715) fine against Google Inc. for failure to comply with its formal injunction of May, 2015 ordering the company to extend delisting to all the search engine’s extensions. Continue Reading
Oregon became the first state to adopt the Revised Uniform Fiduciary Access to Digital Assets Act (“Revised UFADAA”) when Governor Kate Brown signed Oregon Senate Bill 1554 into law on March 3, 2016. The law will become effective on January 1, 2017. Continue Reading
As we previously reported, EU and US officials have reached an agreement to implement a program known as the EU-US Privacy Shield. The Privacy Shield is a successor to the US-EU Safe Harbor program, which was invalidated last year, and is the culmination of more than two years of negotiations between the EU and US to strengthen the protections afforded to individuals whose personal data is transferred from the EU to the US.
On Monday, the European Commission released the documents that will constitute the Privacy Shield, along with a draft adequacy decision. Key features of the new program include the following:
- Privacy Principles: As under the Safe Harbor program, Privacy Shield organizations (i.e., organizations that have self certified under the Privacy Shield) must comply with specified privacy principles (the “Principles”) when transferring and processing data originating in the EU. These principles are: Notice; Choice; Security; Data Integrity and Purpose Limitation; Access; Accountability for Onward Transfer; and Recourse, Enforcement and Liability.
- Choice: Individuals must be given the choice to opt out of having their personal information disclosed to a third party (except an agent of the Privacy Shield organization) or used for a purpose that is materially different from the purposes for which it was originally collected or which were subsequently authorized by the individual. For sensitive information, with limited exceptions, individuals must expressly opt in in order for such information to be so disclosed or used.
- Onward Transfer: Any transfers of data to a third party must be pursuant to a contract that provides, inter alia, that the recipient will provide the same level of protection as the Principles. In the case of contracts with agents, an organization must, upon request, provide a summary or copy of the relevant privacy provisions to the Department of Commerce.
- Redress of Rights:
- Privacy Shield organizations must have in place an effective internal mechanism to deal with complaints of non-compliance with the Privacy Principles and must commit to responding to complaints within 45 days.
- An independent Alternative Dispute Resolution mechanism also must be designated and available, free of charge, for individuals to pursue claims of non-compliance.
- Individuals can bring claims to their national DPA which will, in turn, work with the US Department of Commerce to ensure that the Privacy Shield organization addresses the complaint.
- Privacy Shield organizations remain liable if an agent to whom it transfers information processes such information in violation of the Principles, unless the Privacy Shield organization can prove that it is not responsible for the event giving rise to the damage.
- Privacy Shield organizations that wish for Privacy Shield benefits to cover HR data are required to commit to cooperate with the European Data Protection Authorities (“DPAs”) in the investigation and resolution of complaints, which would include an agreement to comply with any advice from the DPAs that the organization needs to take specific action to comply with the Principles. Privacy Shield organizations that are not seeking to cover HR data have the option whether or not to commit to cooperate with the DPAs in investigating and resolving complaints.
- The Privacy Shield framework also establishes a binding arbitration option for redress of certain complaints.
- Limits on US Government Access: The released documents include letters from the Office of the Director of National Intelligence and the U.S. Department of Justice outlining the legal restrictions and safeguards in place to limit access by the U.S. government to personal data transferred pursuant to the Privacy Shield. The U.S. Secretary of State also has appointed a Privacy Shield Ombusperson, whose responsibility it will be to serve as a point of contact for foreign governments who wish to raise concerns regarding U.S. intelligence activities.
- Periodic Review: The draft adequacy decision provides for ongoing review of the Privacy Shield Framework to ensure its continued adequacy. This continued review shall include an “Annual Joint Review” among the EU Commission, the US Department of Commerce and Federal Trade Commission, and other US agencies as appropriate. This meeting will be open to DPAs and representatives of the Article 29 Working Party.