HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Twitter unmasks anonymous British user in landmark legal battle

California court forces site to reveal personal details of user accused of libelling local authority in north-east England

Thus read a headline in The Guardian (UK).
 
The Guardian was reporting on a recent California ruling ordering Twitter to unmask an anonymous critic of a UK local government council.  The ruling raises the question of whether foreign privacy law will be applied in the US. In this case, the ruling deprived someone of privacy (the anonymous online critic), but the outcome seeks to suggest that a US company may be subject to foreign privacy law, even if it conflicts with First Amendment principles. 

In the EU, one element of privacy law is the right to know who is making anonymous criticisms. This has made it difficult for US companies operating in the EU to use anonymous whistleblower hotlines (deemed useful in corporate governance). In the US, of course, the right to criticize anonymously has a strong degree of First Amendment protection.
 

• Print

The Department of Health and Human Services (HHS) has issued a proposed rule implementing changes to the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. This proposed rule addresses the changes required by the HITECH Act, which requires HIPAA covered entities and business associates to account for disclosures of protected health information made through an electronic health record that are for treatment, payment, and health care operations purposes.

The proposed rule divides the accounting rights into two distinct individual rights. The first right follows the long-standing accounting of disclosure rules, modifying the existing rule to require an accounting for three years prior to an individual’s request instead of the current six years. The second provides a individuals with a new right to receive a written “access report” that describes uses and disclosures of their PHI made through an “electronic designated record set.” This new access report would include information on a covered entity’s workforce members who have accessed information and would apply to information in an electronic designated record set, not only information in an electronic health record, as required by HITECH. 

The proposed rule is available today at http://www.ofr.gov/OFRUpload/OFRData/2011-13297_PI.pdfand will be published in the Federal Register on Tuesday, May 31.

• Print

The National Labor Relations Board (NLRB) has social media in its sights.  We last reported on the NLRB  social media agenda when its Harford Regional Office issued a complaint last year against a company that terminated an employee for posting disparaging comments about her supervisor after an incident at work. That case settled earlier this year, with the company agreeing to change provisions in its social media policy that prohibited employees from making any online remarks about the company or its supervisors. Those statements, according to the NLRB, violated the National Labor Relations Act (NLRA), which prohibits employers from restricting their employees from discussing terms and conditions of employment.

Since then, there has been a spate of activity at the NLRB on the social media front, including the issuing of two new complaints in the last three weeks.

• Print

My fellow Hogan Lovells Privacy and Information Management practice leader, Marcy Wilder, and I are delegates to the eG8 Forum in Paris, where later today I will be a speaker at the session on privacy.  CEOs of Google, Facebook, News Corporation and other Internet companies are participating in the Forum.  G8 Chair President Sarkozy hopes the eG8 Forum -- the prequel to the G8 gathering of world leaders starting tomorrow in Deauville, France -- will lead to greater international cooperation in Internet governance.  Skeptics fear that the Forum is a stalking horse for greater legal regulation of the Internet, as reported here. Nevertheless, the gathering has provided a remarkable opportunity for the sharing of ideas and perspectives on the future of the Internet. 

Here are my prepared remarks for the privacy session at the eG8 Forum:  

 

As the only privacy lawyer on today's panel, I appreciate the opportunity to share my perspectives.  As we all know, data is the raw material of our Information Age. But the scale and scope of data collection and use are accelerating in ways previously unimaginable. The Internet, mobile devices, and new forms of networked sensors are combining to produce more and more data that can be collected, analyzed, shared and stored. Thus, according to a new McKinsey study we heard about yesterday here at the eG8 Forum, we are entering the era of “big data,” the label for the vast and increasing amounts of digital information being produced every day. 

The potential of big data, according to McKinsey, is more efficient and competitive businesses, a stronger world economy and better-served consumers, including with better health care services. The experts at McKinsey are concerned however that before the end of the decade, there will not be enough trained personnel to analyze all of the data. 

They also note the issue of personal privacy, an issue underlying the growing concern about the amount of data being collected about our lives and used by businesses, often without our knowledge or consent. While not a focus of the McKinsey study on big data, the world leaders gathering soon in Deauville, France for the annual G8 Summit will be considering the issue of privacy as they address the agenda item on how best to advance the Internet. Presumably, they understand – as a US Commerce Department report recently noted – that if privacy concerns increase, trust in the Internet will decrease, creating an economic drag on the Internet’s potential.

The G8 leaders will be informed by our work.  And I hope our discussion of Internet privacy will not divide on geographic lines, with representatives from the EU, which has an omnibus privacy law, expressing disdain for the American targeted approach to privacy protection, and those with a US orientation complaining about over-regulation of privacy.  If that is how the discussion evolves, that will be too bad, for there is greater need than ever for global strategies to protect privacy, and countries on both sides of the Atlantic have much to learn from each other.  

To be sure, the regional approaches to privacy protection differ even as we share a commitment to the OECD’s Fair Information Practice Principles. In the EU, the Data Protection Directive, implemented through national legislation, is an across-the-board regulation of personal data that places strict limits on the collection, use and retention of personal information. The US, by contrast, has chosen to legislate at the federal level with respect to sensitive data such as health, financial and children’s data, and to target enforcement on privacy violations through the regulatory powers of the Federal Trade Commission and state attorneys general. A number of states have stepped in, too, to regulate the collection, use and security of personal data. Nearly all of the states have data security breach notification laws to inform people when their personal data is at risk.

Privacy self-regulation by businesses and industry groups also is an American tradition, as more and more companies recognize that violations of privacy tarnishes brands and alienates consumers. As the privacy think tank I founded and co-chair, the Future of Privacy Forum, has noted, the recent initiative by industry to empower consumers to stop online tracking of their web activities by advertisers is an example of self-regulatory effort to protect privacy.   

While the American approach to privacy may be untidy, in contrast to an omnibus law, a recent Berkeley study concluded that the combination of laws and increased attention by business to the importance of privacy has led to a notably more privacy-protective environment than existed in the 1990’s. And there is recognition in the US that more has to be done to protect privacy. A report from the Federal Trade Commission will be finalized soon on new approaches to privacy protection and legislators on Capitol Hill are focusing on privacy as never before.

Still, the EU takes the position that the US lacks “adequate protection” for the personal data of EU citizens and thus bans the cross-border transfer of such data to the US unless special legal undertakings are made by US businesses to receive the data.

In the US, with our First Amendment traditions, we have trouble understanding the justification for certain EU legal actions in the name of privacy, such as "super injunctions" preventing "tweets" naming litigants in civil actions, enforcement of the so-called “right to be forgotten” against a search engine merely for linking to an unflattering article about someone on the Web. Nor do we understand how a Google executive can be convicted criminally for a random posting by a YouTube user that was said to violate personal privacy.

Despite these differences, there is an emerging consensus on both sides of the Atlantic that people are entitled to greater privacy protections. There is much that can be done cooperatively to advance such protections, like cooperation in cross-border enforcement against multi-national privacy violators, and the adoption of “Privacy by Design” as a standard to be followed by businesses at every stage in the development of new technologies.

In the era of big data, privacy is too important to be overshadowed by claims of legal framework superiority. The eG8 and G8 are good places to sound the chord of cooperation in the advancement of personal privacy.   

I am pleased to be part of the discussion.

 

• Print

The U.S. Department of Health and Human Services Office of the Inspector General issued two reports yesterday criticizing the Centers for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health IT (“ONC”) for doing too little to protect the security of patient health information. The first report, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight, found that CMS oversight and enforcement "were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule."

• Print

On May 6, 2011, the California PUC (CPUC) issued a proposed decision  by CPUC President Peevey addressing smart grid privacy and security. The proposed decision is part of a longstanding proceeding we first discussed here. 

The proposed decision represents a significant step towards a set of smart grid privacy rules in the United States during a time that smart grid privacy is attracting increasing global attention. For example, as discussed in the Chronicle of Data Protection post on April 18, 2011, the European Union’s Article 29 Working Party issued smart meter guidelines last month.

• Print

This week, Germany started a new Volkszählung - the first count and registration of Germany's, its federal states' and communities' population since 1987.  The census 2011 has precititated  privacy concerns and legal challenges.

The census has its basis in the EU Regulation 763/2008, which provides that such census be conducted by the Member States in 2011, the Federal Census Act 2011 (Zensusgesetz 2011), and implementation laws enacted by the federal states.  Approximately one third of the people living in Germany are asked questions related to age, registered residence, nationality, relationships, education, employment, and residential property.  People that refuse to answer could forfeit monetary fines up to 1,500 Euro.  The data gathered shall be used for "important political and economical decisions", such as the re-calculation of the financial compensation scheme of Germany's federal states or of the distribution of seats in the Bundesrat (the representation of the federal states on the federal level).

• Print

Quentin Archer in the Hogan Lovells London office prepared this entry.  

Few topics in the world of EU data protection have generated so much debate, and so little understanding, as the change to the law on cookies. On 9 May the UK Information Commissioner issued some guidance on the new law, but anyone expecting clear instructions on how to achieve compliance will be very disappointed.

In essence, the change in the law is simple. The Privacy and Electronic Communications Directive of 2002 provided that users should be given clear information about cookies as well as an opportunity to opt out of them. Under the 2009 amendment to the Directive, which Member States are to implement by 26 May, users must give their consent to the storage of the cookie on their terminal equipment. Cookies employed for the sole purpose of carrying out the transmission of a communication over an electronic network, or which are strictly necessary for the provision of a service requested by a user, are exempt.

• Print

Last week week, the New York Times published an article entitled "Europe Leads in Pushing for Privacy of User Data," which observed:

As pressure grows for technology companies like Apple and Google to adjust how their phones and devices gather data, Europe seems to be where the new rules are being determined.

After detailing some of the recent activities of Data Protection Authorities in the EU concerning location privacy, the article crticized the US framework:

In the United States, there is no single agency dedicated to privacy, and while the Federal Trade Commission and the Federal Communications Commission can deal with violations of privacy, those agencies are mainly focused on enforcing fair business practices.

In response, Christopher Wolf, Co-Director of the Hogan Lovells Privacy and Information Management practice wrote a Letter to the Editor, which was published today by the New York Times.  Chris said that last week's article "leaves the impression that privacy is less of a policy concern in the United States than it is in the European Union."    He went on to respond

There has also been an intense focus on protection of consumer data on Capitol Hill, in the agencies and in the media.  Privacy is just as much an American concern as it is a European one.  Our approach to how best to achieve privacy for personal data may differ from that of our European colleagues, but our commitment is equal.

Chris also cited the recent Bamberger/Mulligan study, "Privacy on the Books and on the Ground" in support of the proposition that privacy protection is robust in the United States: 

A recent study by two professors at the University of California at Berkeley presented a different picture [than that in the Times article].  The combination of aggressive privacy and data security enforcement by the Federal Trade Commission, the existence of data security breach notification laws across the country and the appointment of chief privacy officers in many institutions have led to a much stronger American privacy framework than ever before.

• Print