Posted on March 8, 2010 by Wim Nauwelaerts

Article 29 Working Party Provides Guidance On Data Controller/Processor Concepts

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.  

Last November in Madrid, when the 31st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.                                                                   

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

  • In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.
  • The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.
  • In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.
  • A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).              

 

Tags: , , , , , , , , , ,
Posted on September 28, 2009 by Mark Paulding

Draft Federal Legislation May Bring Changes to Data Breach Practices

 On July 22, 2009, Sen. Patrick Leahy (D-VT) reintroduced S. 1490, the Personal Data Privacy and Security Act (“PDPSA”), which has been referred to the Senate Judiciary Committee.   The reintroduced PDPSA is substantially similar to the prior version reported out by the Judiciary Committee in 2007, which was co-sponsored by then-Sen. Barack Obama.  Among the provisions of the proposed law are a mandated adoption and maintenance of a comprehensive information security program, a national data breach notification law, and regulation of data broker services.  Further, while the bill as currently drafted reflects many commonly accepted principles of data privacy and security underlying existing federal and state laws, it deviates from current laws and standards regarding data security and breach notification on several noteworthy points.  Although passage of this legislation during the current session of Congress is far from certain, the existing PDPSA draft may foreshadow future legislative and regulatory trends. 

Federal Data Breach Notification Requirement including Federal Criminal Penalties and State

Title III, Subtitle B of the currently drafted PDPSA contains a data breach notification requirement in the event of unauthorized access (or reasonable belief that unauthorized access has occurred) to sensitive personally identifiable information (“SPII”) of any resident of the United States.  Notification may be provided in writing, by telephone, or via email (if the affected individual has consented to email notice).  In addition to standard provisions for notice to national credit reporting agencies and media outlets, the proposed law requires notification to the U.S. Secret Service within 14 days if the security breach involves:

·         the acquisition (or is reasonably believed to involve the acquisition) of the SPII of more than 10,000 individuals by an unauthorized person;

·         a database or other system containing the SPII of more than 1,000,000 individuals;

·         a database owned by the federal government; or

·         the SPII of federal law enforcement or national security personnel.

Criminal Penalties for Concealment of a Security Breach

Under the current draft of PDPSA, knowing concealment of a security breach that results in economic damage to any person would be subject to criminal penalties including fines and imprisonment for up to 5 years.  See PDPSA § 102.  Notification may be exempted if a written certification that notification would damage national security or hinder a law enforcement investigation is transmitted to, reviewed by, and approved by the Secret Service.  While this provision appears to be intended to increase the number of reported breaches, the risk of criminal prosecution depends upon a showing of economic damage to an individual.  Historically, courts have found it quite difficult to trace economic harm to a specific data breach.  Nevertheless, the specter of criminal sanctions would be impossible to ignore. 

Encryption Safe Harbor

The draft legislation contains a safe harbor from the notification requirement if a risk assessment concludes that there is no significant risk of harm to individuals because the compromised data was encrypted or otherwise rendered indecipherable or inaccessible.  See PDPSA § 312(b).  Safe harbor risk assessments must be provided to the Secret Service within 45 days of discovery.  Covered entities may rely upon the risk assessment if the Secret Service has not informed the entity otherwise within 10 days thereafter.  This continues the trend of breach notification laws designed to encourage encryption of sensitive information, particularly on backup tapes, laptops, and other portable devices.  It should be noted that the proposed law explicitly includes access controls among the list of ways to render SPII inaccessible, which would be a noticeable evolution in breach notification law.  Ultimately, it would be left to the discretion of the Secret Service to determine whether any access controls were sufficiently secure to render the risk of public harm insignificant. 

Fraud Prevention Program Exemption

The draft PDPSA does not require notification for breaches that involve only credit card numbers or security codes if the covered entity participates in a fraud prevention program designed to block unauthorized transactions before they are charged to an individual’s account.  See PDPSA § 312(c).  However, if the breach involves any other form of SPII or credit card numbers combined with an individual’s name, entities are still obligated to provide appropriate notice.

Justice Department and State AGs Authorized to Pursue Civil Enforcement Actions

In addition to the criminal penalties discussed above, the United States Department of Justice and state Attorneys General would be authorized to bring civil enforcement actions for violations of the data breach notification rules.  See PDPSA §§ 317-318.  The draft PDPSA authorizes equitable relief and civil penalties of up to $1,000 per day per affected individual up to a maximum value of $1,000,000 per violation unless the violation is found to be willful or intentional.  Similar to the criminal penalties provision, this appears to be intended to increase the number of breaches that are reported to the public, as well as indirectly incentivize covered entities to harden security measures protecting SPII. 

Broad Preemption Clause

The provisions of the draft PDPSA expressly preempt all federal and state data breach laws.  See PDPSA § 319.  If passed into law, this clause would establish one uniform breach notification regime for all entities engaged in interstate commerce, superseding the existing patchwork of state notification laws as well as the federal health data breach notification requirements recently introduced by the HITECH Act.

Expansive Definition of Sensitive Personal Identifiable Information

The draft PDPSA contains a definition of SPII that is more expansive than existing data security and breach notification regimes.  SPII includes the following categories of data:

1.       A financial account number or credit/debit card number with the associated security code or PIN.

2.       A person’s first name and last name or first initial and last name combined with:

a.       a non-truncated Social Security Number or government identification number;

b.       unique biometric data;

c.       unique account identifier, electronic identification number, user name, or routing code combined with any associated security code or password required to obtain money, goods, services, or any other thing of value; or

d.       any two of

                                                               i.      home address or telephone number,

                                                             ii.      mother’s maiden name, and/or

                                                            iii.      month, day, and year of birth.

See PDPSA § 3(12).  Accordingly, the required data security program and data breach notification procedures would apply to a greater amount of information than current regulatory schemes.  For example, a table of user names and passwords maintained by a web merchant may be subject to a covered entity's information security program and breach notification requirements, which would ordinarily not be the case under current state and federal law.  This may be particularly true for merchants that allow customers to use email addresses as their user ID because many email addresses contain the first and last name or first initial and last name of the user.  Similarly, web merchants that allow users to select freeform user IDs may find that many customers use their actual names.
Tags: , , , , ,
Posted on August 25, 2009 by Andrea Ward

UPS Ltd Subject of UK Data Security Enforcement

UPS Ltd has joined the ever-increasing number of companies featuring in the ‘Enforcement’ section of the UK Information Commissioner’s website, for failing to ensure the adequate security of personal data, which was held on an unencrypted laptop.

Security is one of the key data protection principles set out in Schedule 1, Part 1, of the Data Protection Act 1998 (the “DPA”) and although organizations are familiar with the principle, the basic elements of protecting data can still be overlooked. As a reminder, the DPA requires all ‘data controllers’ (such as UPS Ltd in this case) to comply with the eight data protection principles. The seventh principle deals with the security of personal data and provides that data controllers must take “appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This means, for example, using password protection and encryption on portable hardware, such as laptops and memory devices. Of course, such measures are only effective if everyone knows about them and uses them appropriately.

This recent decision involved the loss of personal data when a UPS employee’s laptop was stolen, whilst on business abroad last year. The laptop was unencrypted and was never recovered.

Unfortunately (but as is often the case) it held personal data belonging to some 9,150 UK-based employees. Worse still, the data was payroll-related and so contained information relating to employees’ names, dates of birth, National Insurance numbers, salary and bank details.
Whilst there is no legal requirement to inform the Information Commissioner’s Office (ICO) of a DPA breach, UPS Ltd’s lawyers made the notification for their client, presumably recognizing the harm that could result from the loss of such data, for the employees themselves and also for the company’s reputation.

By this time, UPS Ltd had endeavored to remedy the breaches and could therefore submit evidence of improvements it had made, to the ICO. Helpfully, in reaching its decision, the ICO noted such remedial steps as:

  • encryption for all UK and European UPS laptops and Smart phone devices and
  • updating the security policy to include encryption for removable media

The ICO also recognized UPS Ltd’s understanding of the seriousness of the event and its efforts to comply with the DPA. Rather than issuing an Enforcement Notice, UPS Ltd were able to sign an undertaking to comply with the DPA and put in place these promises within 6 months.

This case demonstrates that although mistakes happen, there are ways to limit the exposure and organizations in breach of the DPA should act purposefully to rectify the damage as soon as possible.
Tags: , , , ,
Posted on August 20, 2009 by Scott Loughlin

Possible Health Information Trend in State Data Protection Statutes

With the compliance date for the federal health data breach notifications in the HITECH Act looming, more states are amending their data breach notification statutes to cover health information. The possible trend is evident in the newly-enacted laws of three states – Missouri, New Hampshire and Texas – all of which have been enacted since June 2009. 

  • Missouri – Within the key definition of “Personal Information,” Missouri’s new data breach notification law includes both “medical information” and “health insurance information,” which if disclosed in combination with an individual’s name, may trigger notification rights. 
  • New Hampshire– In a separate provision from its general data breach notification law, disclosure of HIPAA protected health information by health care providers and business associates may trigger notice requirements even if the disclosure is permitted under federal law or does not create a risk of harm.
  • TexasExpanding its existing data breach notification statute, Texas specifically amended the definition of “sensitive personal information” to include types of health information not previously covered.

These states join California, Arkansas and Puerto Rico as the only jurisdictions to protect health data under their data breach notification statutes. Still, compliance with these statutes may be costly and burdensome.  Businesses must carefully monitor access, acquisition and disclosure of health and medical information in addition to other types of sensitive information – social security number numbers, financial account numbers, etc. – routinely protected under these statutes. Definitions of health and medical information vary, but can be quite broad to cover, among other things, information relating to:

  • physical or mental health or conditions and medical histories; 
  •  provision of health care;
  •  treatment and diagnosis; 
  •  payments for health care; and 
  •  insurance policy numbers and subscriber IDs.

Although the interaction of these state laws with the federal data breach notification regulations under the HITECH Act is unsettled, state laws must continue to be monitored and analyzed closely, especially if the number of states protecting health information continues to grow and their notification obligations are consistent with, but extend beyond, the federal requirements.

Tags: , , , , , , , , , , , ,