The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

California’s Proposed Right to Know Act

California state assemblymember, Bonnie Lowenthal, has introduced a bill entitled the “Right to Know Act 2013.” Were it to be enacted, Assembly Bill No. 1291, would significantly expand the consumer’s right to know what of his information a business has retained, and how the business is using it.

Altering current California law, which provides a right to know in cases where a customer has a “business relationship” with the business and the customer’s information has been shared for “direct marketing purposes,” the bill as currently proposed reads:

“This bill would instead require any business that retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer.”

The right to know provided by the California bill is similar in many respects to the right to access information held by a business that is afforded under the EU’s Data Protection Directive to EU citizens.

The bill has received positive reviews from organizations such as the Electronic Frontier Foundation. We’ll need to wait to see how Silicon Valley responds.

Because California often advances the conversation in the area of consumer protection and data privacy, it will be important to monitor how, and if, this proposal develops.

Leave a comment

HHS Issues Final Rule Modifying HIPPA on Same Day Persons are Identified via Anonymous Genetic Information

Happy MLK Jr. Day!

On Thursday of last week, the U.S. Department of Health and Human Services announced that it had issued a Final Omnibus Rule modifying HIPAA’s Privacy, Security, Enforcement and Breach Rules and HITECH’s Breach Notification Rule.  

Health and Human Services Office for Civil Rights Director, Leon Rodriguez, stated that the modification brings “sweeping changes” to HIPAA’s Privacy and Security Rules. The sweeping changes include, among other things:

–       Extension of HIPAA’s provisions to “business associates” and other downstream vendors

–       Modifications to permissible marketing activities

–       New provisions for potential data breach analysis and notification

–       Modifications to an individual’s right to receive his/her PHI

–       Restrictions on the use or disclosure of genetic information for underwriting purposes

The Final Rule totals 563 pages. Affected parties should thus be tuned into developments in how the modifications are ultimately interpreted and implemented.

Much attention has been directed to how the Final Rule affects business associates, such as cloud services providers and other third party industry players. But another important modification included in the Final Rule was that made to the Genetic Information Non-Discrimination Act of 2008 (GINA). The modification included confirmation of a “prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule” (there is an exception for certain long term care policies).

Coincidentally (or no?), the day the Final Rule was issued, a team of researchers published an article in Science describing how they were able to identify 50 people using the DNA that they had submitted for research purposes. The researchers made the identification simply by pairing the genetic information from the DNA strands with information from publicly available online tools, such as Google searches and genealogy databases. The New York Times and other media have reported on the Science article.

This development underscores the increasingly important role that genetic information serves in both scientific research and medical care. The updates to GINA included in the Final Rule recognize this trend. It is likely that additional attention will be given to issues of privacy and genetically-sourced information (including PHI) as technology and medical practice develops. 

Leave a comment

Facebook and Microsoft Privacy Setting Updates & Influence of EU Regulators

Facebook released a new data privacy feature this past Friday. The feature consists of an introduction to how the account user’s information may be shared across Facebook. Everyone who creates a new Facebook account will be brought to the feature as part of the profile creation process.
In its post giving notice of the feature, Facebook mentioned that the feedback given by the Irish Data Protection Commissioner’s Office provided guidance for the feature’s development.
The development of the feature is another example of European data privacy regulators informing the practices of large US tech companies.
For instance, as noted in The Secure Times, Google has been in a tussle with European data privacy regulators throughout 2012 about changes to its privacy policy that it announced in January. And Microsoft’s recent update to its services agreement for Bing and Hotmail and other of its online services has not received very much attention in the US (at least as compared to Google’s changes earlier this year), but EU regulators are reported to be looking into this also, according to Bloomberg.
When changes in the management, use, and sharing of consumer data are pressed by local regulators, the need for operational efficiency may lead to global developments in data privacy features for some of the most popular online platforms.

Leave a comment

The Philippines Sign New Data Privacy Act

On August 23, 2012, it was announced that President Benigno Aquino III of the Philippines signed the Data Privacy Act of 2012 into law, thus adding the Philippines to the growing ranks of countries with a comprehensive data privacy regime. The Act was passed by the Filipino legislature in March of 2012.

The Act contains many provisions that have become familiar in such comprehensive data privacy legislation.

The Act begins by declaring privacy to be a fundamental human right (Section 2).

The definition of personal information in the Act is fairly broad (“any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained”), and there is also a definition for sensitive personal information, which is deemed to include the standard repertoire of higher-level personal information (race, health, religion, political affiliation, etc.) (Section 3).

The scope of the Act is extra-jurisdictional in some important respects. The Act applies to any data controller or processor that is located in the Philippines, or that uses “equipment that are located in the Philippines.” This provision seems to be referring to data housing or cloud services that are maintained in the Philippines. Further, the Act specifically affirms its extra-jurisdictional scope by providing that any entity outside of the Philippines is subject to it when that entity has engaged in an act or practice that relates to the personal information of a citizen or resident of the Philippines. Importantly, the Act does not apply to personal information “originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines” (Section 4-6).

The Act sets up a National Privacy Commission. This independent body will have broad authority to administer the Act by, among other activities, handling complaints, providing guidance on the Act’s applicability, and recommending to the Filipino Department of Justice that it take action against persons who violate the act (Section 7). 

 A list of data processing principles is provided for by the Act. Similar to the processing principles of other data privacy regimes, such as the European Directive, the processing must be lawful, reasonable, for a specific purpose, and the information may be retained only so long as it is needed for such purpose. There are also rules about the prohibition of processing of sensitive personal information, along with a list of exemptions and caveats: where consent has been given, for medical reasons, for legal reasons, for public administration and other explicitly lawful purposes, and in the case of incapacity on the part of the data subject (Sections 11-15).

 The data subject possesses a set of rights under the Act. The data subject has the right to know of the processing of his/her personal information, to know the purpose and scope of the processing, the recipients of his/her personal information, the time period for the retention of the personal information, and the contact information for the controller or processor, among other things. Further, the data subject, as in similar data privacy laws, has the right to inquire into the above questions and receive an answer within a reasonable time period. A general exemption exists under the Act with respect to personal information processed for “scientific or statistical” research (Sections 16-19).

 The data controller or processor is required to maintain a security system that is “reasonable and appropriate,” and must notify the Commission and affected data subjects in the event of a security breach. The notification may only be delayed in order to fully understand the scope of the breach, prevent further disclosures, or restore integrity to the system; thus, for all intents and purposes, notification must take place as immediately as is practicable (Section 20).

 The Act definitely has some significant teeth. Up to 6-year prison terms and hundred thousand dollar fines “shall” be imposed for breaking the provisions of the Act. The Act specifies that if the offender is a legal person, its officers may be liable for the offense (Sections 25-37).

 An important impetus for the Act is to bolster the data security environment in the Philippines in order to encourage further growth in the BPO sector. The Philippines is already seen by leading firms to be a new hot spot in BPO services, as this article by the Oxford Business Group reports. Foreign firms that use Philippine-based BPO services will want to ensure they are on the same page with their service providers as regards the compliance with the Act.

 As the APEC CBPR System moves forward, it will be interesting to observe the manner of Filipino participation. The Act does not provide very much detail on cross border data transfer, and the portions that do address this question, including Section 21, seem to provide a basis for interoperability between the Act and the principles of the CBPR System. So it is possible that there could be quite a bit of synergy between the two programs.

 The Act gives the Commission 90 days to create Implementing Rules and Regulations (“IRR”). And covered entities will have one year from the creation of the IRR, or such time as the Commission determines, to come into compliance with the Act. It will be important to monitor the manner in which the Commission implements the Act. Specifically, close attention should be given to the IRR when they are released later this year.