HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

by Lionel de Souza

On May 26th, the European working party on data protection established by article 29 of the 1995 European Directive on Data Protection (the "Working Party") sent letters to the three main search engine providers, Google, Microsoft and Yahoo!, to express its concern about how the search engine providers protect the online privacy of their users.

These letters follow a number of exchanges that have taken place over the past two years between the Working Party and the companies.  The process started with the Working Party's March 2008 opinion on search engines, which was later followed by a questionnaire to search engine providers and a hearing in February 2009.

In response to the Working Party's opinion, Google, Microsoft and Yahoo! all publicly announced amendments to their respective policies regarding the term of retention and anonymization of user data.  While these modifications generally have been welcomed as improvements of search engine practices, the Working Party still considers them insufficient.  Overall, the Working Party points to:

(1) the insufficient level of anonymization of data implemented by search engines or the lack of complete information to appreciate the appropriateness of such measures; and

(2) the excessive term of retention of user data (especially in consideration of possible cross-referencing).

Based on these elements, the Working Party states that it "cannot conclude that [these companies comply] with the European Data Protection Directive" and "urges" them "to review their anonymization claims and make the process verifiable."

To do so, the Working Party recommends that all three search engine providers implement and submit to an auditing process which would be conducted by external and independent third parties.  It is interesting to note that such an auditing procedure does not rely on any specific legal ground imposed by the European data protection legislation and that the search engines are therefore under no obligation to implement such a procedure.  If they did agree to an audit,  however, a number of questions would arise, such as the adequate frequency at which audits should be conducted or the publicity of the results of the audits. 

Finally, the Working Party, taking into account the "strong international component of this debate" sent copies of the three letters to the FTC (as well as the European Commission Vice-President in charge of Justice, Fundamental Rights and Citizenship - Viviane Reading) to share its concerns and to request an inquiry of the compliance of the behaviors with Section 5 of the Federal Trade Commission Act which prohibits "unfair or deceptive acts or practices in the marketplace".

In a general context of increased attention in the European general public with regards to issues of privacy, the reactions by the search engines and the FTC to the issues raised will be closely scrutinized.

The Working Party's letters to can be found here. 

• Email This
• Print

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

• Email This
• Print

Special thanks to Lionel de Souza in the Hogan Lovells Paris Office for this entry.  Lionel specializes in issues relating to privacy and data protection, e-commerce, the liability of technical intermediaries, IT contracts, outsourcing, online compliance, the intellectual property aspects of information technology and the Internet and encryption. He has a masters degree in digital law and new technologies from the university of Paris and an LL.M from the University of Edinburgh.
 

The European Commission published its "Digital Agenda for Europe" on 19 May 2010. The document presents a number of future measures designed to "maximize the social and economic potential" of information and communication technologies ("ICT").   Unsurpirsingly, privacy is an important focus.

As a starting point, the Commission sets out seven areas which it regards as problematic and in need for revision to foster economic growth based on ICT.

These seven issues are (1) the existence of fragmented digital markets within the European Union;  (2)  the lack of interoperability on European markets;  (3)   the rise of cybercrime and the risk of low trust in networks;  (4)  the lack of investment in networks;  (5)   insufficient research and innovation efforts  (6)  the lack of digital literacy and skills; and the missed opportunities in addressing societal challenges (e.g. environmental concerns, etc.).

To make improvements in these areas, the Commission emphasizes that privacy and data protection will play an essential role.  Throughout the document, the Commission underlines the need to increase trust in the ICT and internet services and  that such trust necessarily includes confidence in the protection of privacy and personal data.

The  Commission set as one of its key actions to "review the European data protection regulatory framework with a view to enhancing individuals' confidence and strengthening their rights by the end of 2010". It has also set out its intention to promote and progressively impose on goods and services providers the concept and notion of "Privacy by Design", to include, in its review of the data protection framework, the possible "extension of the obligation to notify data security breaches" and to give guidance, by 2011, "for the implementation of a new telecoms framework with regards to the protection of individuals' privacy and personal data".

The document is ambitious and has the potential to have an important impact on operators and allow for the development of business using ICT in the few coming years.

The European Commission's Digital Agenda for Europe can be found here.

• Email This
• Print

The Health IT Policy Committee’s Privacy and Security workgroup has recommended that patient data exchanged between providers for treatment purposes be governed by policies that “at least” include encryption. The HIT Policy Committee is a federal advisory committee established to provide guidance to the Office of the National Coordinator for Health IT (ONC) on health IT policy issues, and its privacy and security workgroup is charged with addressing the privacy and security issues involved in developing a framework for the exchange of health information.

According to the workgroup’s recommendations, encryption ideally should be required when there is potential for transmitted data to be exposed. The workgroup proposed that the encryption mandate come through either the meaningful use and certification criteria; or through modification of the HIPAA security rule.

In addition to encryption, the group recommended that provider-to-provider exchange be governed by policies that include “limits on identifiable (or potentially identifiable) information in the message” and “identification and authentication.” According to the workgroup, “if strong policies are in place and enforced, we don’t think that the above scenario needs any additional individual consent beyond what is required by current law."

If such recommendations are adopted and an encryption mandate imposed, this would have significant and far-reaching consequences for providers. We will continue to track the status of these recommendations as they evolve.

• Email This
• Print

  While the Hogan Lovells Chronicle of Data Protection primarily is designed for news and analysis of developments in the field of privacy and data protection, we want to take the opportunity of the recent combination of Hogan & Hartson with Lovells to inform our readers of the global breadth and depth of our practice. While each of the legacy firms was celebrated for its privacy and information management practices, the coming together of the lawyers from the two firms has created a practice group that is unparalleled in the world.  Hogan Lovells helps clients address privacy and data protection globally and in regard to specific national laws in countries around the world, through our 40 offices in the Americas, Europe, the Middle East and across Asia.

In the coming weeks, we will detail the privacy practices resident in various offices around the world.

Last week, selected partners from the global privacy and information management practice met in Geneva, Switzerland to discuss practice coordination and cooperation, and to focus on how we together can better serve our clients as a unified group.   (Regrettably, some of the partners scheduled to participate were grounded due to the Icelandic ash cloud including, notably, practice co-leader Marcy Wilder). Joining the discussion and pictured above are (from left to right)  Winston Maxwell (Paris), Quentin Archer (London), Steffan Schuppert (Munich), Gonzalo Gallego (Madrid), David Taylor (Paris), Marco Berliri (Rome), Wim Nauwelaerts (Brussels) and practice co-leader Christopher Wolf (Washington).

To provide an illustration of our global capabilities,  tomorrow (20 May 2010) the firm will host a webinar entitled “Hogan Lovells Trans-Atlantic Discussion on the Privacy Challenges Facing Multi-National Corporations”. This will be the first webinar by the Privacy and Information Management Group at Hogan Lovells, featuring privacy lawyers on both sides of the Atlantic from the former Hogan & Hartson and Lovells. Quentin Archer (London), Steffan Schuppert (Munich), Wim Nauwalaerts (Brussels), Lynda Marshall (Washington), Marcy Wilder (Washington) and Christopher Wolf (Washington) will explore contemporary privacy law challenges facing companies doing business in multiple jurisdictions around the world, such as:

• Cross-Border Transfers of Data Internationally
• Managing Employees in Multiple Jurisidctions
• Onine Marketing Issues Around the World
• Data Security and Data Breach Requirements
• The Obligations Concerning Health Data Around the World
• National Trends with International Ramifications

The panelists will explain how a coordinated international approach to privacy compliance is cost-

effective and is an optimal way to limit risk and protect privacy.

Readers of the Hogan Lovells Chronicle of Data Protection are cordially invited to attend our webinar.  Please register by clicking here.

• Email This
• Print

Thanks to Eric Bukstein in the Hogan Lovells privacy group for providing this report.

On May 3, 2010, in Arista Records v. Doe 3, a Second Circuit panel issued an opinion finding that an Internet user’s right to remain anonymous is not sufficient to prevent an ISP from revealing his identity in a copyright infringement dispute. The court held that a record label may subpoena information about Internet users connected to IP addresses if there is sufficient evidence that the IP addresses had been used to illegally share music. 

• Email This
• Print

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

• Email This
• Print

On May 4, Representatives Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) of the House Subcommittee on Communications, Technology, and the Internet published a discussion draft of long-anticipated privacy legislation that would restrict companies’ online collection and use of personal information and online activity, including use for the purpose of targeted online advertising.  Here are some observations about the draft bill, in its current form:

• The bill would require any company that collects “covered information” from or about individuals to obtain opt-in consent to a statutorily mandated privacy policy containing at least fifteen enumerated disclosures.  Consent would be deemed adequate if the user expressly opted in to the information collection after being presented with the required disclosures, or in most circumstances if the user “does not decline consent at the time such statement is presented."  This would seem to imply that web sites would need to ensure that privacy policies appear on users’ screens at some point, to either expressly opt in or to fail to “decline consent” when the statement is presented to the user.  At the same time, however, the bill permits privacy policies to be “accessible through a direct link from the Internet homepage of the web site.”  It is unclear, then, whether the bill would consider the existence of such a link to be sufficient to infer that a user “does not decline consent” when merely accessing a web site, which would otherwise obviate the need to obtain opt-in consent.
• In a few specific circumstances, the bill would permit the use of web site user information for the purposes of marketing, advertising, or selling only with express opt-in consent.  This includes (1) when the web site wishes to disclose the information to unaffiliated third parties, such as advertisement networks, unless certain requirements are met (see the next bullet); (2) when the web site collects or discloses any “sensitive information,” which is defined as medical records or history, race, ethnicity, religious beliefs, sexual orientation, financial records or other information associated with a financial account, or geolocation information; or (3) when the web site collects or discloses “all or substantially all of an individual’s online activity.”
• Nevertheless, the bill would provide an exception permitting a web site to share user information with unaffiliated third parties for the purposes of marketing, advertising, or selling without express opt-in consent if it:  (1) provides users with a “readily accessible” opt-out mechanism; (2) deletes or renders anonymous any “covered information” within 18 months after it is first collected; (3) allows users to review and modify, or completely opt out of having, any profiles maintained about their preferences by web sites or their advertisement network partners for marketing purposes (these so-called “preference profiles” must be accessible through a hyperlinked “symbol or seal” on the web site and on or near any advertisement served based on the profile); and (4) prohibits advertisement networks from further disclosing any such information they receive.  This would seem to almost directly endorse the use of the online behavioral privacy icon put forth by groups supporting industry self-regulation of behavioral advertising.
• The term “covered information” would include a number of individual data elements – such as name, e-mail address, and Social Security number – that might otherwise be considered personally identifiable information under other statutory or regulatory regimes (at least in combination with other data elements).  In addition to the novel development of regulating the collection of these data elements individually, the bill includes in its definition of covered information:
  
  "Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user."
  
   Adopting this definition would be significant because no American privacy law has ever considered an anonymous identifier or IP address to be legally protected information (though IP addresses are considered to be personally identifiable in the EU and FTC Chairman Jon Leibowitz commented just a couple weeks ago that he believes that IP addresses should be considered personal information).  Additionally, this definition means that the bill would apply to any web site that maintains and uses information about users keyed to a unique identifier, which means that it applies to just about every web site that collects user registration information.

Click "Continue Reading..." for more

• Email This
• Print

In today’s Federal Register, the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) regarding the HITECH accounting of disclosures provisions.  The Department is collecting information to help inform its rulemaking. Building on the current HIPAA accounting of disclosure requirements, HHS is required to issue regulations concerning what information should be collected about disclosures for treatment, payment, and health care operations made through an electronic health record.  

In the RFI, HHS requests comments on nine questions, including whether the compliance deadline should be extended. Comments are due on or before May 18, 2010. A detailed listing of all questions and additional background information is available in the Federal Register.

• Email This
• Print

 We are pleased to announce that Hogan & Hartson LLP and Lovells LLP have combined to form Hogan Lovells, effective May 1, 2010.

Our new firm now has about 2,500 lawyers in more than 40 offices throughout the United States, Europe, Asia, the Middle East, and Latin America. We are excited about the expanded global capabilities that Hogan Lovells can offer our clients, including a broader range of legal services in virtually all major international markets. Though we are a new firm, our fundamental values and our commitment to excellence remain unchanged.

We believe that this is a great combination that will benefit all our clients. In the Privacy and Information Management area especially, the combination gives us even greater breadth and depth.

The compliance challenges and business risks related to personal data are significant and growing. With advances in technology, personal information increasingly is collected, stored, used, and shared. At the same time, the regulation of data use and security is increasing worldwide.

Hogan Lovells has one of the largest and most experienced Privacy and Information Management practices in the world, spanning the United States, the EU, and Asia. The group assists clients with all of their compliance challenges, drafting policies and providing advice.

• We are among the very few law firms that can help you achieve compliance both globally and in regard to specific national laws.
• Our lawyers are conversant with local regulations, the laws affecting cross-border data transfers, and the laws regulating sectors that collect sensitive personal information, such as finance and health.
• We represent clients in adversarial matters concerning the use of data, whether at the level of the EU data protection authorities, or before the U.S. Federal Trade Commission, Department of Health and Human Services, state attorneys general or in private party litigation.
• We play an important role in the development of public policy regarding the future regulation of privacy.

Awards and Rankings

• Recognized for our "deep and thorough understanding of the privacy issues surrounding the healthcare sector," Chambers Global: USA (2010)
• Ranked in the first tier and awarded "plaudits for delivering an 'exceptional standard,'" Legal 500: Europe, Middle East & Africa (2010)
• "Probably the most sophisticated clutch of privacy advisors in the country," Legal 500 US (2009)
• "The Brussels team is lauded for its protection expertise," Chambers Global: Europe-wide (2009)

For more information about the new HoganLovells Privacy and Information practice, visit our web site.

• Email This
• Print