Data Protection Update: U.S. Special

FTC settles complaint with U.S. company concerning misrepresentation of Privacy Shield participation

A company based in California has agreed to settle Federal Trade Commission (FTC) allegations that it falsely claimed participation in the EU-U.S. Privacy Shield framework (the ‘Privacy Shield’). The FTC issues an administrative complaint when it has ‘reason to believe’ that the law has been or is being violated, and it appears to the FTC that enforcement action is in the public interest.

The EU-U.S. Privacy Shield framework provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data for commercial purposes between the EU to the U.S.

Medable Inc., a company providing technology solutions to the pharmaceutical and biotechnology industries, was found to have misrepresented in its online privacy policy that it was a certified participant, and that it complied with all of the Privacy Shield’s principles. It is understood that whilst Medable had commenced an application to participate in the Privacy Shield in 2017, it never completed the process.

As part of the settlement with the FTC, Medable is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, and any other privacy or data security program sponsored by the U.S. government, or any self-regulatory or standard-setting organisation.

The proposed settlement agreement will be published in the Federal Register and subject to public comment for 30 days, after which the FTC will make a determination regarding whether to make the proposed consent order final. If the FTC does decide to issue a consent order on a final basis, any future violation of the order may result in a civil penalty of up to $42,530.

The FTC has now brought a total of 17 enforcement actions in relation to the Privacy Shield since it was established in 2016. This case highlights the importance of carefully drafting privacy policies and understanding the requirements of participation in the Privacy Shield in order to avoid enforcement action and financial penalties.

The press release from the U.S. Federal Trade Commission can be read here.

Texas Health and Human Services Commission fined over data breach

On November 7th, the U.S. Department of Health and Human Services (HHS) fined the Texas Health and Human Services Commission (THHSC) $1.6 million for violations of HIPAA Privacy and Security Rules.

The fine, imposed by the HHS’s Office of Civil Rights (OCR) stemmed from the unauthorised disclosure of electronic protected health information (ePHI), which included names, addresses, treatment information and Social Security numbers of more than 6,500 people. The breach was first reported in June of 2015 by the Texas Department of Aging and Disability Services (DADS), which was subsequently merged into THHSC in 2017. The ePHI was collected by DADS in order to report to the Centers for Medicare and Medicaid, and in furtherance of its disability assistance program.

The breach resulted from the transfer of an application with access to ePHI from a private server to a public one, which allowed unauthorised users to access the data without proper credentials. In announcing the fine, it was revealed that DADS was unable to determine the number of unauthorised persons who accessed the individuals’ health data as a result of inadequate audit controls.

Specifically, it was held that THHSC committed the following violations of HIPAA Privacy and Security Rules:

• Impermissible disclosure 6,617 individuals’ ePHI data by placing it on a public server, permitting unauthorised user access without requiring the inputting of access credentials;
• Failing to implementing system audit controls, and providing no evidence that the transferred application was capable of auditing user access once moved to the public server;
• Failing to require user input of access credentials in order to access/view ePHI data;
• Failing to perform an accurate and thorough risk analysis.

In considering the size of the fine, the OCR noted that the breach did not result in any individuals losing access to health care, and that none of the affected individuals suffered any financial, physical or reputational harm. Furthermore, THHSC immediately removed the application once it had learned of the unauthorised access. However, as DADS failed to conduct an agency-wide risk analysis by the date required by the OCR, a $1,000 per day fine was imposed, as provided for under the HITECH Act.

Last minute amendments to California Consumer Privacy Act

The California legislature passed several amendments to the California Consumer Privacy Act (CCPA), which were signed into law by Governor Gavin Newsom just before the legislative bodies October 13th deadline.

The landmark law applies to businesses that meet one of three threshold criteria, including a) an annual gross revenue in excess of $25 million, b) purchases, receives, sells or shares for commercial purposes, personal information of 50,000 or more consumers, or c) derives 50% of annual revenue from selling consumer date. Important amendments to the CCPA include:

• A one-year exemption from the CCPA’s application for Human Resources projects and certain business transactions, as well as total exemption for data subject to the Fair Credit Reporting Act;
• “Personal Information” is now defined to include information that is reasonably capable of identifying a consumer, but does not include aggregate or de-identified data;
• A consumer wishing to assert a private right of action under the CCPA must show that a business did not only fail to encrypt their data, but also redact it;
• Businesses that sell consumer data of consumers that they do not have a direct relationship with are to be deemed data brokers, and must submit to annual reporting and registration;
• Exclusively online businesses need only provide an email address in order for consumers to assert their rights.

These amendments have considerably changed the scope and applicability of the CCPA. However, the law will still come into effect on January 1, 2020, and businesses must quickly determine whether they fall under one of the CCPA’s threshold criteria.

Senate Democrats unveil Core Principles for future Federal Privacy Legislation

On November 18th, four ranking Senate Committee members from the Democratic Party, Dianne Fienstein, Patty Murray, Sherrod Brown and Maria Cantwell, offered a set of core principles to underpin future federal privacy legislation. Four main categories of consumer privacy issues are covered by the principles, including:

1. Invigorating Competition
   a. Market Power Checks: Consumers must be able to prevent their data from being commingled across separate businesses within an enterprise;
   b. Data Portability: Consumers must be empowered to take their data to a company of their choosing.
    
2. Strengthening Consumer and Civil Rights
   a. Individual Consumer Rights: Consumers must have the right to access, delete, correct, restrict and know of the transfer and retention of their records;
   b. Civil Rights Protection: Consumers must have transparency into black box algorithms resulting in discrimination, and must have the ability to challenge those decisions.
    
3. Imposing Real Accountability
   a. Corporate Accountability: Mechanisms must shift the responsibility and liability from consumers to companies;
   b. Federal Enforcement and Rulemaking: Federal enforcers must have streamlined rulemaking authority and the ability to seek significant civil fines and criminal penalties;
   c. State and Private Remedies: Federal enforcement should be complement by state enforcement, and there must be a meaningful private right of action.
    
4. Establishing data safeguards
   a. Minimisation: Data collection must be minimised to be narrowly tailored to its authorised use;
   b. Abuse Prevention: Standards must ensure that data is only processed in a transparent manner, meeting consumers’ expectations;
   c. Sharing Limits: Clear rules must be established to limit data sharing to that which is needed to carry out the express purposes authorised and expected by consumers;
   d. Security: Organisations must have higher standards for retaining and securing data.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.