Privacy law meets antitrust – EU Commissioner Vestager on data in competition law; ECJ to rule on admissibility of Privacy class actions; Northern District of California Sends Yelp Privacy Suit to the Jury; EU Advocate General finds EU-Canadian PNR pact unlawful; New York Unveils New Cyber Security Rules for Financial Services Organizations; New Jersey Senate Passes Shopping Privacy Bill; NIST Issues Mobile Threat Guidance

Privacy law meets antitrust – EU Commissioner Vestager on when privacy issues can lead to antitrust concerns

European Competition Commissioner Margarethe Vestager has commented on the relevance of privacy issues with regard to EU antitrust rules. According to Vestager, current investigations of the German Federal Cartel Office regarding Facebook’s “privacy issues” would “not necessarily” lead to competition law concerns, even though both fields of law might correlate under certain circumstances.

In the investigations at issue, the German Federal Cartel Office is alleging Facebook of abusing an alleged ‘dominant position’ in the market for social networks by imposing unfair conditions regarding the privacy settings for Facebook accounts on its users. The German antitrust regulator is arguing that users would have “no choice” whether to accept the conditions or to terminate their account, because there is no real alternative to the well-known social network. Under Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’), “dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market.”

It still remains to be seen whether Facebook will ultimately be found in breach of EU antitrust rules relating to its Privacy Policy. On a more general matter, however, the Commissioner’s statements seem to confirm that indeed, companies controlling vast amounts of data may be considered able to prevent market entry by withholding this data from potential competitors who could not reproduce comparable datasets themselves and therefore might violate Article 102 TFEU. Companies that might fall in this category should therefore be prepared that not only privacy regulators, but also antitrust authorities might potentially be questioning them regarding their use of data in the future. Nevertheless, “simply holding a lot of data” would not be enough to raise antitrust suspicions, Vestager appeased.

Continue Reading Privacy & Cybersecurity Weekly News Update

Last week, we highlighted our colleagues’ post in Crowell’s Trade Secrets Trends focusing on recent comments submitted by the U.S. Chamber of Commerce regarding the need to stem the cyber theft of intellectual property.  Today, we once again turn to our sister blog to highlight an example of how that theft plays out in the private sector.  The post overviews a recent trade secrets case that stems from an all too frequent fact pattern – the insider threat.  Cases like this serve as useful reminders about the benefits of an insider risk program and data loss prevention tools.

Earlier this month, the U.S. Chamber of Commerce submitted comments in response to the National Institute of Standards & Technology’s request for information regarding cybersecurity and the digital economy. The Chamber’s comments focused on specifics such as the NIST Cybersecurity Framework and the Cybersecurity Information Sharing Act of 2015, but it also discussed more generally the benefits of norms and deterrence in the cyber age. In our sister blog Trade Secrets Trends, our colleagues highlight how those norms and deterrents could help further trade secrets protections.

 

 

HHS Jumps on the Cybersecurity Information Sharing Bandwagon; Third Circuit on Economic Loss as a basis for Negligence Claim; FTC workshop on Ransomware; German draft implementing law for GDPR revealed.

HHS Jumps on the Cybersecurity Information Sharing Bandwagon

Because of recent news reports confirming that cyberattacks against healthcare agencies have increased 125 % in the past five years, HHS is encouraging HIPAA Covered Entities and Business Associates to share information to combat future attacks.

HHS, based on authority from Executive Order 13591 and the Cybersecurity Information Security Act (CISA), is urging Covered Entities and Business Associates to join Information Sharing and Analysis Organizations (ISAOs) to share security threat and vulnerability information related to electronic protected health information (ePHI).

Ideally, ISAOs will provide a mechanism for sharing information bi-directionally “between HHS and the Health Care and Public Health (HPH) sector regarding cyber threats and will also provide outreach and education to the HPH sector.” This press release from HHS follows a similar measure by the Department of Homeland Security, which also encourages information sharing to mitigate the risk of cyberattacks.

In developing ISAOs in the health care sector, it is critical to consider three things:

  • the standards and best practices for the creation of ISAOs to ensure that covered entities and business associates that participate gain the protections of such information sharing under CISA;
  • the data that is shared in light of what is permitted under the HIPAA Privacy Rule; and
  • how participation in an ISAO can support compliance with the HIPAA Security Rule.

Crowell & Moring is a leading expert in the creation of ISAOs and HIPAA compliance and can help stakeholders that seek to comply with HHS’s call to action to consider the intersection of these various legal frameworks

Continue Reading Privacy & Cybersecurity Weekly News Update – Week of September 12

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group; ICO publishes report on data security incident trends.

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group

On September 01, 2016, the German Data Protection Authority of Bavaria (BayLDA) has announced that according to their understanding, sanctions under the GDPR will be calculated based on the revenue of a whole company group. According to the authority, this should apply even when only one single entity is responsible for an incident.

In its position paper, the BayLDA elaborates that fines under the GDPR have to be “effective, proportionate, and dissuasive.” For most infringements, the fine can amount up to a maximum of either € 10 million, or 2% of the company’s annual global turnover (the higher will apply). For serious infringements, the fine can even amount up to the higher of € 20 Million or 4% of the respective turnover. The turnover will comprise of the turnover of the whole company group a company belongs to, according to recital 150 of the preamble, which relates to the “economic concept of an undertaking”.

Although the BayLDA’s position paper is non-binding, the interpretations and views published can nevertheless be considered very important hints on how in particular the German Data Protection authorities will interpret and enforce the new Regulation, which will enter into force on 25 May 2018. The European Data Protection Board, a group of representatives of the EU Member States (currently known as Article 29 Working Party), is expected to issue guidelines on the calculation of fines.

Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 28

ICO investigating into Facebook and WhatsApp Data Sharing Plans; Germany and France publish joint action plan against encryption; PrivacyShield now covering 200 U.S. companies.

UK DPA investigating into Facebook and WhatsApp Data Sharing Plans

The United Kingdom’s Information Commissioner (‘ICO’) is taking a closer look into WhatsApp’s plan to share more user data with parent company Facebook for the purposes of targeted advertising.

According to a recent WhatsApp blog post, WhatsApp has changed its Privacy Policy on August 25. This move will allow the company to share further personal information, in particular the mobile phone numbers of its users, with parent company Facebook. According to information published earlier this week, users should have 30 days to decide whether they want to receive targeted advertising, but they should not be allowed to object the data sharing as such.

Actually, the new approach of WhatsApp is not such a big surprise, as similar concerns had already been raised in the debate around the acquisition of WhatsApp by Facebook. However, the European Commission had explicitly made clear that the assessment of privacy issues does not fall within its competence as a Competition authority, and approved the merger.

Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 21

First self-certifications accepted under Privacy Shield; EU Commission considers extension of telecommunication rules to apps.

U.S. Department of Commerce accepts first bunch of self-certifications under Privacy Shield

About 2 weeks after the announced start of the certification procedure under the “EU-U.S. Privacy Shield” (‘Privacy Shield’) on August 1, 2016, the U.S. Department of Commerce (‘DoC’) has officially granted certification status to a first set of approximately 40 U.S.-based multinational companies. According to a DoC spokesperson, “nearly 200 additional certifications” are still pending and hundreds more are expected in the next few weeks.

According to the publicly accessible Privacy Shield list, companies already approved under the new framework are predominantly major U.S. tech companies, such as i.a. Microsoft Corporation and Salesforce.

Companies which have not yet registered, but plan to do so, should consider signing up within the next 1 ½ months: for those submitting their certification until September 30, the DoC grants a grace period of 9 months from the date of certification to meet the necessary compliance requirements.

Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 14

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

OCR’s announcement listed several factors that will influence whether a small breach is investigated:

  • the size of the breach;
  • whether theft of or improper disposal of unencrypted Protected Health Information (“PHI”) occurred;
  • whether unwanted intrusions to IT systems (for example, by hacking) occurred;
  • the amount, nature and sensitivity of the PHI involved; or
  • cases where an entity has numerous breaches involving similar issues.

OCR also notes that investigation decisions may be influenced by the lack of breach reports by an entity compared to similarly situated entities.  This signifies that OCR is closely analyzing the trends revealed by annual breach reports that covered entities and business associates must submit to OCR.

For more information about steps covered entities and business associates can take to improve compliance efforts, contact the authors or your regular Crowell & Moring contact.

EU Commission publishes first results of consultation of e-Privacy Directive; Irish DPA issues Guidance on Location Data.

European Commission publishes summary report on consultation of e-Privacy Directive

On August 4, 2016, the European Commission has published a first summary report on the public consultation on the evaluation and review of the e-Privacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), also known as ‘e-Privacy’ or ‘Cookie’ Directive.

Two weeks ago, on July 19, 2016, the Article 29 Working Party, an EU advisory body comprised by representatives of the national Data Protection Authorities, had also published a detailed opinion on this issue.

The ‘e-Privacy Directive’, which contains specific rules relating to the processing of personal data in the e-Communications sector, needs to be adapted to the new European General Data Protection Regulation (‘GDPR’), which will replace the former EU Directive 95/46/EC as from May 25, 2016. The GDPR aims to ensure modernized rules and increased harmonization for Privacy in Europe and is part of the European Commission’s Digital Single Market (DSM) Strategy.

The 421 stakeholders in the consultation, of whom more than ¼ are situated in Germany, agree with a vast majority of 83% that specific privacy rules for e-Communication are useful to ensure the confidentiality of communications. In addition, 76% of respondents believe that the Directive should as well apply to so-called ‘over-the-top’ service providers (OTT), when offering VoIP services or instant messaging. However, more than ¾ of the respondents also said that until now, the Directive has achieved its aims only to a limited extent, due to – among others – too little enforcement and compliance pressure.

The Commission’s conclusions drawn from the consultation, as well as proposals on how to adapt the Directive are expected to be released later this year.

Continue Reading Privacy & Cybersecurity Weekly News Update Week of August 7

On Thursday, September 8, 2016 from 1:00 PM to 2:00 PM ET Crowell & Moring’s Elliot Golding will be speaking as part of a 60-minute Bloomberg BNA Webinar on Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture.  The panel discussion will cover the information governance life cycle for health care, life sciences, and pharmaceutical companies, from identification of sensitive data to storing and protecting that data during mergers and divestitures.  The webinar is free and open to all.

Objectives:

  • Data management considerations for companies responsible for maintaining personally identifiable information (PII), protected health information (PHI), and confidential or sensitive data.
  • Unique issues that arise when highly sensitive data is involved during the merger and divestiture transaction process.
  • Strategies to develop effective policies and procedures for data life cycle management.