Data Law InsightsMaida Oringher Lerner

Brexit effect on EU and UK Privacy rules; EU and U.S. to strengthen ‘Privacy Shield’; Ponemon Study on Healthcare Data Security; Mobile ad provider fined for deceptive conduct FTC comments on the Internet of Things

Brexit – what does it mean for EU and UK Privacy rules?

On June 23, 2016, the population of Great Britain in a historical referendum voted to leave the European Union with a majority of 52% vs 48%.  Although this decision does not have immediate impact on the membership of the United Kingdom in the EU (the UK is still a Member of the European Union and will remain so until at least 2018, see also FAQ on the further procedure by the European Commission), waves of discussion are rising high, among others about the future of UK Privacy laws and the implementation of the General Data Protection Regulation (GDPR).

In a statement of June 24, 2016, the UK’s Data Protection Authority (ICO) has stressed that “the Data Protection Act remains the law of the land irrespective of the referendum.” This means that on the short term, in principle nothing will change. This also applies with regard to the ongoing EU reform, as a result of which the GDPR will enter into force on May 25, 2018, and thus in any event before the earliest possible day for a definite exit of the UK out of the European Union.  It will therefore – at least for a short period of time – also apply to UK businesses.

What will certainly have an impact, however, is the moment in which the UK factually leaves the European Union. Although the ICO has stressed that it aims to stay as close to European Privacy laws as possible also post-Brexit, this situation would have an immediate impact on businesses sending data to the UK.  As soon as the UK would be no longer part of the European Union, due to the absence of an ‘Adequacy Decision’ of the European Commission relating to the UK, companies would have to put in place other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules, in order to lawfully continue to transfer personal data from European countries to the UK as soon as the exit is completed. This could only be avoided if the UK would guarantee an adequate level of Data Protection standards, which would have to be acknowledged by the European Commission.

The ICO has made its position clear: “Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

EU and U.S. agree to strengthen “Privacy Shield”

EU and U.S. officials have agreed to add amendments to the draft “EU-U.S. Privacy Shield”, the data transfer pact many transatlantic businesses are grievingly waiting for.  The amended draft was sent for review to the European member states overnight, which are expected to hold a vote on the sufficiency of data protection granted by the agreement in the beginning of July.

After the invalidation of the former “U.S.-EU Safe Harbor Framework” by the European Court of Justice (ECJ) in October 2015 due to concerns about U.S. mass surveillance activities, the EU and U.S. officials had rushed to draft a replacement pact.  However, EU privacy regulators, as well as the European parliament, had heavily criticized the new draft and called for amendments.

According to internal EU sources, the U.S. government has now further explained the conditions under which intelligence services may be allowed to collect bulk data and also the safeguards relating to the use of that data.  Among others, the amended commitments are said to include a letter from the Office of the Director of National Intelligence, which gives an example on intelligence gathering in relation to terrorism.  Apart from that, the role of the “Ombudsman”, an independent privacy official within the U.S. system, was said to be further specified.

It remains to be seen whether these changes will suffice to satisfy the European Member States in their function as Article 31 Committee, the affirmative vote of which is needed by the Commission before the deal can be formalized.

FTC settles first action against mobile ad network operator

The Federal Trade Commission (FTC) reached a settlement with InMobi, a mobile advertising network alleged to have engaged in deceptive and misleading conduct that tracked consumer locations without consumers’ knowledge or consent.  The FTC alleged that InMobi deceived customers when it retained location data despite representations that such data would be retained only when consumers opt-in to location tracking.  InMobi allegedly obtained and retained location data regardless of consumers’ choice on data retention.  The FTC further alleged that InMobi violated the Children’s Online Privacy Protection Act (COPPA) by collecting information from apps directed at children without parental or guardian consent.  The settlement imposes a $4 million penalty with all but $950,000 suspended.

This enforcement action appears to break new ground in its pursuit of companies that make misrepresentations to non-consumers. As the FTC blog explains, “the case against InMobi demonstrates that companies also can be held liable for deceptive statements made to other businesses when those misrepresentations ultimately affect consumers.” The deception here was that InMobi misled app developers into believing that location tracking would depend upon consumer choice—a misrepresentation that developers would pass on to a consumer.  This theory of liability places additional responsibility on firms to ensure the accuracy of statements made to other companies in the development chain regarding data practices where those statements will be relied on by consumers.

Ponemon Issues Sixth Study on Healthcare Data Privacy & Security

Ponemon Institute LLC (Ponemon) published its Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. The study includes both healthcare organizations, which are entities covered under HIPAA, and “business associates,” which are entities that perform services for healthcare organizations that involve use of protected health information.  According to the study, healthcare organizations and business associates believe they are more vulnerable to data breach than other industries, and recent high-profile data breaches have the healthcare industry on high alert.  Ninety percent of respondents experienced a data breach in the past two years, and nearly half experienced more than five during that time.  Ponemon estimates that the average cost per breach exceeds $2.2 million for healthcare organizations and about $1 million for business associates.

Ponemon found an increase in the number of healthcare organizations with technology to detect or prevent data breaches. The greatest concern for healthcare organizations are employee negligence or other unintentional action leading to security breaches, and as a result, the organizations have increased efforts to fight data breaches caused by negligence and criminal attacks.

The study also examined the prevalence of data breach insurance among healthcare organizations. About one-third of organizations have purchased cyber breach insurance policies, which in the majority of cases cover defense, forensics, and investigative costs.

FTC on IoT: yes to notice-and-choice, no to IoT-specific legislation

The FTC filed comments with the National Telecommunications and Information Administration (NTIA) concerning benefits and challenges of the Internet of Things (IoT), as well as what role the federal government should play with respect to the development of the IoT.  The FTC discussed three risks associated with the IoT—safety, privacy, and bias against disadvantaged communities—and recommended best practices concerning security, data minimization, and consumer notice and choice.

The FTC also discussed the role government should play in IoT development and maintenance. Specifically, the FTC opined that “IoT-specific privacy and data security legislation would be premature at this time,” and that Congress should enact general, “technology-neutral” standards that “strengthen the FTC’s enforcement tools” when security breaches occur.  If future legislative efforts follow the FTC’s recommendation for general standards, firms should expect the FTC to continue its increasing efforts as a data privacy and security watchdog.