Data Law InsightsMaida Oringher Lerner

Adoption of Privacy Shield expected in early July; Federal Court limits VPPA liability; Belgian Court overturns Facebook fine; FTC robocall crackdown; A rare HIPAA criminal conviction; UK’s ICO fines Brexit campaigners for mass text messages; House report calls for national encryption commission.

European Commission expects adoption of Privacy Shield for beginning of July

European officials are hoping to finally formalize the “EU-U.S. Privacy Shield”, the cross-Atlantic data transfer pact aiming at replacing the formerly invalidated “U.S.-EU Safe Harbor” Framework, on July 5. The initial draft agreement has been amended to include new explanations of U.S. governmental entities and further limitations on the bulk collection of data and mass surveillance. The European Commission is now confident that also the Article 31 Committee will give its approval to the draft framework.

Many European Privacy regulators and EU bodies, such as the European Parliament and the European Data Protection Supervisor, had argued that the initial draft did not sufficiently protect the fundamental rights of European data subjects. The revised version now “only” allows bulk collection “exceptionally”, where targeted collection is “not feasible”, although it remains open how ‘feasibility’ should be determined.

“This new framework for trans-Atlantic data flows protects the fundamental rights of Europeans and ensures legal certainty for businesses,” Christian Wigand, a European Commission spokesman, said in a statement. “We are now in the process toward formal adoption.”

Federal court: VPPA does not protect against disclosure of certain digital identifiers

The U.S. Court of Appeals for the Third Circuit ruled that merely collecting information does not violate of the Video Privacy Protection Act (“VPPA”). Furthermore, the court held that digital identifiers such as IP addresses, device identifiers, and browser fingerprints fall beyond the scope of the VPPA’s protection.  The plaintiffs in In re: Nickelodeon Consumer Privacy Litigation claimed that the defendants unlawfully collected personally identifiable information of children younger than 13, including websites visited and videos watched by each plaintiff.  The complaint alleged violations of various federal and state laws, some of which had been addressed—and thus foreclosed— by a November 2015 decision dismissing similar claims under federal and California laws.

The VPPA issues, however, had never been addressed by the court. The unanimous decision explained that under the statutory language, only those who disclose, not merely receive, covered information are subject to suit.  While recognizing difficulty in determining the outer limits of personally identifiable information, the court further concluded that the link between a person and the identifiers at issue was too attenuated to trigger VPPA liability.

Belgian Court overturns Facebook fine for tracking of non-users

On June 29, 2016, Facebook Inc. won its appeal against the record fine of € 250,000 per day imposed by the Belgian Competition Authority on the company’s European affiliate Facebook Ireland in May 2015 for having tracked non-users in Belgium without their explicit consent.

The Brussels Court dealing with the appeal found that Ireland, not Belgium, has jurisdiction over Facebook Ireland and that thus the Belgian Privacy Commission had not been competent to issue the enforcement action. Belgian citizens cannot obtain protection for their private lives through the courts when it concerns foreign players,” The Belgian DPA’s President Willem Debeuckelaere criticized the ruling.

The case arose from a finding of the Belgian Regulator that Facebook breached Belgian and EU privacy law by using social plug-ins (“Like-Button”) on third-party websites to collect the personal data of Belgian Internet users, regardless of whether they were Facebook users. In November 2015, a Belgian Court had confirmed the fine and given Facebook 48 hours of time to stop the tracking of Belgian non-users (see judgment available here).

The Privacy Commission, in a June 30 statement, announced that it would recast the enforcement action.

FTC continues crackdown on robocall operations

The Federal Trade Commission (“FTC”), in tandem with the Florida Attorney General, has charged multiple defendants with illegal and deceptive conduct arising from a scheme using robocalls to sell debt relief services. The complaint alleges the illegal robocall scheme misled and deceived consumers who would then pay fees—a total of $15.6 million since January 2013—for the alleged services.  This is the 39th action taken against robocall schemes by a multinational enforcement coalition, which includes the FTC, since January 2015.

Criminal conviction for HIPAA violation

An Ohio federal jury rendered a guilty verdict against a respiratory therapist charged with violating HIPAA by unlawfully accessing health information of almost 600 patients. Jamie Knapp was indicted in 2015 for accessing records for patients other than those she was treating in the course of her employment at an Oregon hospital.

HIPAA convictions are rare, and this is one of just a handful since 2012. However, this conviction serves as yet another reminder that external parties are not the only threats to data security.  Firms should closely consider the presence and effectiveness of internal controls and protocols to protect against unauthorized access of health information by employees.

UK’s ICO Fines Pro-Brexit Campaigners for sending more than 500,000 spam text messages

The Information Commissioner’s Office (“ICO”) of the United Kingdom (“UK”) has fined the British Company “Better for the Country Ltd.”, which was actively campaigning for Great Britain to leave the EU, 50,000 pounds for having sent more than 500,000 spam text messages to people without having their consent.

The company, better known under its campaign name “Leave.EU.”, sent unauthorized direct marketing messages to individuals, asking the recipients to reply with “YES” to support the campaign or with “STOP” to opt-out from it and thereby breached Article 22 of the Privacy and Electronic Communications Regulations (“PECR”), based on the EU Directive 2002/58/EC (the “e-Privacy Directive”). Between May and October 2015, the ICO received 140 complaints about these messages.

This is not the first time the ICO has fined political campaigners. In March 2016, David Lammy, Member of the Parliament, had been fined for nuisance calls. Stephen Eckersley, the ICO’s Head of Enforcement, explained that, “[p]olitical parties and campaign groups must follow the same rules as anyone else.”

Homeland Security Committee recommends national commission on digital security

The House Homeland Security Committee issued a primer on the national debate regarding encryption, particularly the need for balance between effective law enforcement and encryption protecting personal, financial, and proprietary information.  The report is the result of a twelve-month process assessing the impact of encryption.  The primer summarizes the current state of encryption, its impact on stakeholders, the governing legal framework in key nations, and current legislative proposals in Congress.  The Committee concludes that current proposals risk “significant blowback for all the parties involved” and thus cannot sufficiently address the issues presented in the encryption debate.  In conclusion, the report calls for a “national dialogue” on encryption and its effect on competition, security, and social values.  The Committee proposes the creation of a commission comprised of experts in various fields, who will create a comprehensive report to guide Congress in crafting future legislation.