HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article.   Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children.  Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act.  Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.

• Print

Hogan Lovells privacy lawyers from five European jurisdictions have published an overview of privacy rules applicable to Internet cookies in Europe .  The new rules, which flow from a recent amendment to the European E-Privacy Directive, are not yet settled in all European Member States.  This overview provides practical guidance on how to comply with the new prior consent rules that will apply in the United Kingdom, France, Germany, Italy and Spain.

• Print

The U.S. Department of Health and Human Services (HHS) published new proposed requirements for human subjects research under the Common Rule that, if adopted, would include significant new data privacy and security obligations on research entities.  HHS is considering the creation of mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data.  This could include adopting the HIPAA Privacy Rule standards for when data is deemed de-identified, as well as categorizing biospecimen research as identifiable information.  HHS also proposes to re-evaluate the HIPAA de-identification standard to ensure it reflect emerging technology and evolving informational risks.  HHS requests comment on these proposals.

HHS also proposes data security requirements for research information.  This could include a requirement that research involving the collection and use of identifiable data adhere to the HIPAA Security Rule standards as well as breach notification standards modeled on the HIPAA requirements.  For research using limited data sets or de-identified information, re-identification of individuals would be strictly prohibited. HHS would provide for additional enforcement as well as periodic random audits of research institutions.  HHS poses a number of specific questions regarding implementation of data privacy and security requirements for research entities.  This HHS issuance is in the form of an Advance Notice of Proposed Rulemaking (ANPRM), Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators.  Comments will be accepted for 60 days following publication of the ANPRM in the federal register.  The ANPRM and related information can be accessed at http://www.hhs.gov/ohrp/humansubjects/anprm2011page.html.

• Print

On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on the notion of consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee. 

What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. It is tempting in some cases to apply a “belt and suspenders” approach by asking data subjects for their consent even when another legal justification for the processing would suffice by itself. The guidelines point out that requesting consent in these circumstances might be a “false good solution”, and create awkward situations when a consent is withdrawn while the data controller still has legitimate grounds to pursue the processing of data.

• Print

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

• By a financial institution to communicate with or service the financial institution's customers
• By the financial institution's employees in their personal or professional capacities
• By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

• Print

The anti-piracy efforts of the content industry in France recently resulted in a warning from French authorities that, when policing online piracy through use of a third-party contractor, privacy must be respected and enforced. 

The French agency entrusted with fighting online copyright infringement, the HADOPI, sends warning letters to suspected online infringers after receiving IP addresses collected by right holders. Right holders use a service provider, TMG, to collect these IP addresses. Before putting the system in place, right holders obtained an authorization from the French data protection authority, the CNIL, allowing them to collect IP addresses for this purpose.

• Print

Whether you keep up with breaking news through social media or always have your mobile device handy, now you can access the latest privacy and data protection news in your favorite way. On Facebook, visit our page at www.facebook.com/hldataprotection and click the “Like” button, or follow @HLPrivacy on Twitter, to receive notice of new blog posts and upcoming Hogan Lovells privacy events. And for on-the-go reading there’s also our mobile web app, which you can access from most tablets and mobile devices, including iPad, iPhone, and Droid, at http://mobapp.hoganlovells.com/privacy.  (This entry tells you how to create an icon for the mobile app on your iPhone.)
 

• Print

Springboarding off our earlier report on the Supreme Court's decision in Sorrell v. IMS Health, Hogan Lovells Privacy and Information Management practice co-leader Marcy Wilder and associate Eric Bukstein have published a more detailed look at the case. Read their BNA Privacy & Security Law Report for analysis of the decision.

• Print

This report on Canada's new Anti-Spam law comes to us from our friend Mark Hayes, one of Canada's leading privacy and Internet lawyers.

While unofficially known as the “Fighting Internet and Wireless Spam Act” (FISA), Canada’s new anti-spam legislation is officially titled:

“An Act To Promote The Efficiency And Adaptability Of The Canadian Economy By Regulating Certain Activities That Discourage Reliance On Electronic Means Of Carrying Out Commercial Activities, And To Amend The Canadian Radio-Television And Telecommunications Commission Act, The Competition Act, The Personal Information Protection And Electronic Documents Act And The Telecommunications Act” 

The Act was enacted on December 15, 2010, but will not come into force until sometime in the fall of 2011. Regulations have not yet been enacted in connection with the Act, but are expected to be passed in the fall of 2011.

The stated purpose of the Act is to promote efficiency of the Canadian economy by regulating conduct that discourages use of electronic means for commercial activity. In particular, the Act sets out a number of prohibitions relating to the control and prevention of unsolicited electronic messages, malware and spyware, as well as provisions providing remedies against prohibited electronic practices and amending a number of other pieces of legislation in line with the Act.

• Print

Florence Raynal, Head of the International Division of the French Commission Nationale de l'Informatique et des Libertés (CNIL) recently said at an American Chamber of Commerce in France (AmCham) that the European Commission's legislative proposals for revision of the 1995 EU Privacy Directive would be released before the end of 2011, and that the new legislative package should be adopted by 2014.  Raynal said the new package might include a regulation, which unlike a directive  would have direct effect, and thereby avoid some of the harmonisation problems encountered in connection with the 1995 Directive.

Raynal was joined at the AmCham roundtable by Christian Pardieu, Head of Privacy Policy for GE in Europe.  Pardieu and Raynal agreed on the main topics that would be covered by the future EU reform package:

• simplification of notification formalities;
• the 'right to be forgotten';
• accountability principle;
• applicable law.

When discussing the accountability principle, Pardieu pointed out that corporations should receive a benefit from voluntarily implementing audit and other accountability measures, whereas Raynal said the CNIL did not view accountability as "trade-off" for other benefits.  For the CNIL, accountability is part of compliance with a data controller's legal obligations, although she said that accountability measures may not be appropriate for all kinds of businesses.

Raynal concluded with a discussion on BCRs, including the new timeframes applicable to multi-jurisdictional applications, useful tips on drafting BCRs.

The full summary of the AmCham meeting is available here: CNIL AmCham meeting on Revision of EU Privacy Directive

Hogan Lovells partner Winston Maxwell co-chairs the AmCham's New Media, IT and Privacy Committee, which hosted this event.

• Print

Social media has been a hot topic of late.  Companies are debating the official use of social media for marketing purposes, social networking privacy has been the subject of recent (failed)  legislation, and the EU has been ratcheting up pressure on prominent social networking sites to enhance privacy protections.  Social media was even a topic of discussion at this May's "eG8" in Paris, an event blogged about recently by Chris Wolf.

The Hogan Lovells Chronicle of Data Protection have covered social media developments over the past year or so, and provide a summary of our coverage for you here in one place, allowing you to take stock:

• Print

The Supreme Court on June 27 granted certiorari in a geolocation tracking case that could have implications for companies that incorporate location-tracking features into their products or that monitor the locations of their employees or assets. Specifically, the Court asked the parties to brief whether the government violated the defendant's Fourth Amendment rights by installing a Global Positioning System (GPS) tracking device on his vehicle without his warrant and without his consent.

• Print

After a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly covers a broad range of issues linked to data protection, including specific recommendations on EU privacy law reform. Hogan Lovells partner Winston Maxwell testified before the parliamentary commission and the commission cited Winston's testimony in connection with the commission's recommendations on the "right to be forgotten," privacy by design, and net neutrality. 

The parliamentary commission found that the "right to be forgotten," while an attractive concept, covers a broad range of different situations, and that the key element of the "right to be forgotten," i.e. that individuals have a right to access and to require the deletion of personal data about them, is already covered by existing law. Citing Maxwell's testimony, the commission concluded that the creation of a new "right to be forgotten" does not appear necessary from a legal standpoint. On the issue of privacy by design, the commission recommended that Europe invest heavily in privacy-enhancing technology, and use privacy by design to create competitive edge for European industry.

• Print