‘Privacy Shield’ certifications possible since August 1, 2016; Hamburg DPA aims to challenge ‘Privacy Shield’; EU Court rules on applicability of EU privacy laws to online companies; Pokémon Go violating EU Privacy Laws?; Norwegian DPA criticizes ‘Facebook at Work’; Advocate Health to Pay Largest HIPAA Settlement Ever; FTC Overrules LabMD Dismissal; Banner Health Cyberattack Affects 3.7M; HHS Announces Grant for Healthcare Sector Information Sharing Organization
‘Privacy Shield’ certifications possible since August 1, 2016
On Monday, August 1, 2016, the U.S. Department of Commerce has opened up the registration process for multinationals so that they can self-certify their compliance with the newly adopted ‘EU-U.S. Privacy Shield’ (‘Privacy Shield’) for transfers of personal data from Europe to the U.S.
The ‘Privacy Shield’, which had been formally approved via the European Commission’s adequacy decision on July 12, 2016, is replacing the formerly invalidated ‘U.S.-EU Safe Harbor’ Framework that had been struck down before the European Court of Justice in October 2015. The national Data Protection Authorities (‘DPAs’), in their function as Article 29 Working Party (‘WP29’), had also okayed the new Framework, by stating that they would not seek to challenge it “at least until the next annual review”.
Companies, who decide to sign up with the new framework as from now, may therefore rely on it at least until next May. For more details, see also our Client Alert on Privacy Shield as well as our previous week’s blog post.
German Data Protection Authority of Hamburg announces aim to challenge ‘Privacy Shield’
Johannes Caspar, head of the German state authority of Hamburg, the “Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) (‘Hamburg DPA’), has stated that he would like to challenge the ‘Privacy Shield’ before the European Court of Justice (‘ECJ’), because he has “serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [ECJ’s] ‘Safe Harbor’ judgment.”
Nevertheless, under the current national laws, public authorities are not authorized to challenge Commission decisions such as the ‘Privacy Shield’ adequacy decision and the German government in a statement of July 15, 2016 has confirmed that it does not intend to grant the authorities such rights, in order to keep the authorities independent. Caspar though is still hoping for a change in the German procedural laws: “If there is a legal way to seek reference to the ECJ – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”
However, companies have to be aware that even if the Hamburg DPA should not be entitled to challenge the Framework, individuals still are, provided that they can claim a violation to their right to Privacy due to data transfers based on ‘Privacy Shield’. And, according to many European privacy experts, there is a high risk that, sooner or later, such a challenge will be made, so that there is still a lot of uncertainty about how long the ‘Privacy Shield’ will remain valid.
EU Court rules on applicability of EU privacy laws to online companies
On July 28, 2016, the European Court of Justice (‘ECJ’) has decided that a European country’s laws on consumer protection and privacy only apply to an online company, if the company has an establishment in that country (ECJ, Judgment of 28 July 2016, No. C-191/15, Verein fur Konsumenteninformation v. Amazon EU Sarl).
In the dispute at issue, concerning a subsidiary of U.S. giant Amazon.com Inc. established in Luxembourg, the court ruled that the subsidiary was not subject to Austrian law, because it did not have an establishment there. The mere availability of the EU website in a certain country would not be sufficient to demonstrate such establishment. This confirms previous case-law of the court, which requires a sufficient physical presence or sufficient contacts in order to apply the respective national laws.
For e-Commerce companies and other operators, who only make their web-shops available to consumers in several countries within the EU without further being active there, the judgment is a big relief – the judges have made clear, that the national laws of those respective countries will not just apply on the basis of commercial activities.
However, this might change under the new European General Data Protection Regulation as of May 2018, which will be applicable as soon as a business is commercially active or monitors activities of citizens within the European Union. Nevertheless, businesses then will only have to comply with a single law instead of – potentially – 28.
Pokémon Go alleged to violate EU Privacy Laws
The VZBV has sent Niantic an official legal warning, setting the company a deadline until August 9 in order to make the required changes. Otherwise, the organization would sue Niantic in Germany, a VZBV legal policy officer has already announced. Allegations include consent declarations being intransparent or too broad, unlawful passing of personal data to private third parties as well as several consumer-law related issues.
Whereas Germany has been the first jurisdiction under which concerns have been raised, similar issues might arise in countries like the U.K., France or similar EU countries with strong privacy and/or consumer protection laws. French consumer rights organization ‘UFC Que Choisir’ has already commented on the app to be “very curious in terms of personal data, potentially costly, and even dangerous.”
Facebook at Work Platform criticized by Norwegian Data Protection Authority
The Norwegian Data Protection Authority has stated that Facebook Inc.’s ‘Facebook at Work’ platform might violate Norwegian and EU Privacy laws. The DPA has directly challenged the privacy adequacy of the platform and recommended changes to be requested from companies using the communication platform on July 22, 2016.
Even though Norway isn’t a member of the EU, it is obliged to generally follow EU privacy law under the treaty on the European Economic Area (‘EEA’). In turn, however, it is questionable in how far the Norwegian action will impact other EU regulators – most of the EU DPAs have stated to not have planned to challenge Facebook at Work.
Advocate Health to Pay Largest HIPAA Settlement Ever
Advocate Health Care has agreed to pay $5.55 million to settle multiple data protection violations over the last 3 years, including lax data security and breaches of electronic protected health information (‘ePHI’) of millions of parents. The Department of Health and Human Services (‘HHS’) Office of Civil Rights (‘OCR’) reported that the settlement – the largest ever – was due to the extent and duration of Advocate’s noncompliance with data security laws.
Director Jocelyn Samuels said that OCR “hope[s] this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
OCR began investigating Advocate in 2013, following a report submitted by Advocate after 4 unencrypted laptops were stolen, which contained millions of patient records. Two additional, smaller breaches were also uncovered during OCR’s investigation.
FTC Overrules LabMD Dismissal
The 3 acting FTC commissioners overturned a judge’s decision to dismiss charges against LabMD. In November, an FTC administrative law judge (‘ALJ’) had issued an opinion concluding that the action brought by the FTC against LabMD should be dismissed because the FTC had failed to meet its burden of proof under the FTC Act’s Section 5 unfairness standard.
In the FTC’s opinion, the commissioners instead determined that the ALJ had applied the wrong legal standard for unfairness and that LabMD’s security practices were unreasonable because they resulted in the unauthorized disclosure of patients’ medical data which resulted in a significant risk of injury to those patients due to the sensitivity of healthcare information, a broader standard than applied by the ALJ.
The FTC order requires LabMD to notify affected customers, establish a comprehensive information security program, and obtain independent assessments of its implementation of such a program. LabMD has sixty days from the order to file a petition for review with a U.S. Court of Appeals.
Banner Health Cyberattack Affects 3.7M
Banner Health announced a cyber attack on its systems may have affected up to 3.7 million of its patients and customers. Attacks were reportedly initiated in June but not discovered until July, and implicated both Banner Health servers and those that handle payment card transactions at food and beverage outlets operated by the company.
The data that may have been compromised included names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers, as well as payment card information.
Banner operates facilities in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming. Alerts have been sent to 3.7 million patients and customers who may have been affected by the attacks.
HHS Announces Grant for Healthcare Sector Information Sharing Organization
The HHS Office of the National Coordinator for Health Information Technology and the Assistant Secretary for Preparedness and Response announced a grant to fund an Information Sharing and Analysis Organization (‘ISAO’) for the healthcare and public health sector.
The ISAO is intended to strengthen the privacy and security of healthcare information by setting up a bi-directional system to share cyber threat information among industry stakeholders and related agencies, in order to help organizations prepare for and respond to cyber threats.
ISAOs have been and continue to be set up to share cyber threat numerous industries, following President Obama’s signing of Executive Order 13691 in February 2015, to promote public-private partnerships and private sector cybersecurity information sharing. HHS grant applications are due by August 25.