Changes to CLIA and HIPAA Provide Greater Patient Access to Laboratory Test Reports

On February 3, 2014, the U.S. Department of Health and Human Services (HHS) released a long-awaited final rule that amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations to permit patients and their personal representatives to access laboratory test reports. By requiring expanded access, HHS rejects what some have characterized as “paternalistic” arguments that such reports are complicated and should be provided only through treating physicians. HHS justifies the rule as necessary to empower patients to take an active role in managing their health and healthcare. As anyone who has tried to interpret a laboratory test report can attest, whether the stated objectives of the new rule will be achieved has yet to be seen.

Read More

EmailShare

European Parliament’s Civil Liberties Committee Report calls for immediate suspension of Safe Harbor

A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).

Read More

EmailShare

Data protection challenges in the new era of Big Data

Data Protection Law & Policy

“Data is the new oil” – This statement by Neelie Kroes in 2011 has since been on everyone’s mind and with the constant development of new technologies, the importance of data has grown dramatically over the past few years and in recognition of this it seems that we have now entered into a new era: the era of Big Data. William Long and Geraldine Scali, Partner and Associate respectively at Sidley Austin LLP explore the potential data protection issues that may arise.

View Article

EmailShare

Heads Up for Privacy, Data Protection and Cybersecurity in 2014

The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers:

Read More

EmailShare

European Commission makes recommendations to strengthen Safe Harbor

The European Commission has released a comprehensive package of communications, reports and papers that set out actions which the Commission believes can restore trust in transatlantic data flows between the European Union and the United States following recent concerns over access to data by intelligence agencies.

The package included the following:

  • Communication: ‘Rebuilding Trust in EU-U.S. Data Flows’;
  • Communication: on the Functioning of the Safe Harbor from the Perspective of EU Citizens and Companies Established in the EU’;
  • Report on the findings of the EU-U.S. Working Group; and
  • Review of the existing agreements on Passenger Name Records and the Terrorist Finance Tracking Program.

The Commission’s announcement focused attention on the EU-U.S. Safe Harbor, which is discussed in below in this Alert, but a number of other key statements by the Commission are potentially relevant to multinationals, as well as Internet and technology companies. The Commission stressed the need for swift adoption of the EU’s data protection reform; strengthening data protection safeguards in the law enforcement area, including an agreement to guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic (EU citizens not resident in the U.S. should benefit from judicial redress mechanisms); addressing European concerns in the on-going U.S. reform process (including extending the safeguards available to U.S. citizens to EU citizens not resident in the U.S., increased transparency and better oversight); and promoting privacy standards internationally, advocating in particular that the U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”). Significantly, the Commission also makes clear that standards of data protection will not be part of the on-going negotiations for a Transatlantic Trade and Investment Partnership. The Commission also noted that its proposed new data protection regulation “includes clear rules on the obligations and liabilities of data processors such as cloud providers, including on security. As the revelations about U.S. intelligence collection programs have shown, this is critical because these programs affect data stored in the cloud. Also, companies providing storage space in the cloud which are asked to provide personal data to foreign authorities will not be able to escape their responsibility by reference to their status as data processors rather than data controllers.”

One of the main actions by the Commission as part of the package is a review of the U.S.-EU Safe Harbor agreement that was agreed in 2000 and allows for transfer of personal data from the EU to companies in the U.S. that self-certify with the U.S. Department of Commerce as complying with certain privacy principles. Safe Harbor has proved popular as a means of allowing for international transfers of personal data from the EU to the U.S. with over 3,200 U.S. companies having self-certified.

However, there has been growing concern among some EU Data Protection Authorities about Safe Harbor and in particular its reliance on self-certification and lack of enforcement. In July 2013, Data Protection Authorities in the Germany commented that they had decided not to issue new permissions for data transfers to countries outside the EU and would examine whether data transfers on the basis of Safe Harbor should be suspended. The Commission in its Communication on the Functioning of Safe Harbor comments that “Given the weaknesses identified, the current implementation of Safe Harbor cannot be maintained. However, its revocation would adversely affect the interests of member companies in the EU and the U.S. The Commission considered that Safe Harbor should rather be strengthened.”

So Safe Harbor is to be retained but amended to add further privacy protections. More specifically, the European Commission makes thirteen recommendations that are designed to strengthen Safe Harbor related to transparency, enforcement, the Safe Harbor principles and the use of the exception for national security which allows for the principles to be limited “to the extent necessary” to meet national security, public interest or law enforcement requirements:

Transparency

1. Self-certified companies should publicly disclose their privacy policies: this recommendation makes it clear that it is no longer sufficient for Safe Harbor companies to disclose a mere description of their policy. Privacy policies should be made publicly available on the company website.

2. Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbor website which has the list of all current members adhering to the scheme: this recommendation would allow for immediate verification of a Safe Harbor company and would lessen the ability for false claims of adherence by non-adhering companies.

3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors e.g. cloud computing services: Safe Harbor allows for onward transfers from the Safe Harbor company to third parties acting “as agents” (e.g. cloud providers) but the third party should enter into a contract with the Safe Harbor company under which the third party agrees to provide the same level of privacy protection as the Safe Harbor principles. The Commission recommends that the Department of Commerce should be notified of such contracts and the privacy safeguards should be made public.

4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme: the Commission recommends that the label ‘Not current’ be included on the Department of Commerce list of Safe Harbor members which should be accompanied by a clear warning that a company is currently not fulfilling Safe Harbor requirements.

Redress

5. The privacy policies on companies’ websites should include a link to ADR (Alternative Dispute Resolution) providers and/or the EU panel: the Safe Harbor principles require that a readily available and affordable independent mechanism must be in place by which complaints and disputes are investigated. The Commission considers that providing a link to the ADR provider or the EU panel would allow for an individual to immediately contact the ADR provider or the EU panel in the case of problems.

6. ADR should be readily available and affordable: this recommendation is meant to eliminate the charging of fees by some ADR providers under the Safe Harbor scheme.

7. Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure used and follow-up they give to complaints: according to the Commission this recommendation should make the dispute resolution an effective and trusted mechanism with publication of findings for non-compliance included within sanctions of ADR providers.

Enforcement

8. A certain percentage of certified or re-certified companies under Safe Harbor should be subject to investigations of effective compliance of their privacy policies. This recommendation is based on the Commission’s view that although privacy policies are reviewed by the U.S. Department of Commerce when a company renews its certification there is no evaluation of the actual practice of compliance by that company with the Safe Harbor principles.

9. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to a follow-up investigation after one year.

10. In the case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU Data Protection Authority.

11. False claims of adherence of Safe Harbor adherence should continue to be investigated. According to the Commission companies that claim to be complying with Safe Harbor requirements while not listed by the Department of Commerce is misleading and weakens the credibility of the system and so such companies should be investigated.

Access by U.S. authorities

12. Privacy policies of self-certified companies should include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor scheme. This recommendation is also extended so privacy policies should explain how the company would apply exceptions to the Safe Harbor principles to the extent necessary to meet requirements of national security, public interest or law enforcement.

13. The exception of national security under Safe Harbor should only be used to the extent that it is strictly necessary or proportionate: the Safe Harbor Communication further specifies that EU data subjects have no opportunity for access, redress or rectification relating to the processing of their personal data under U.S. surveillance, therefore there is a need to restrict exceptions to that which is strictly necessary or proportionate to the reason for which the exception is being used.

According to the Commission for Safe Harbor to work as intended, the monitoring and supervision by U.S. authorities of compliance of self-certified companies with the Safe Harbor Principles needs to be more effective and systematic and the thirteen recommendations are intended to achieve this. The Commission will now engage with the U.S. authorities to discuss how to strengthen Safe Harbor with amendments to be identified by summer 2014 and, according to the Commission, implemented as soon as possible. At the same time the Commission will be undertaking a more detailed review of Safe Harbor which will involve an open consultation and a debate in the European Parliament and at the Council of Ministers.

For companies that are currently self-certified under Safe Harbor, or in the process of becoming self-certified, it will be a relief to know that the Commission is not currently intending to suspend Safe Harbor, however, it is likely that a number of measures will be looked at to strengthen it and therefore the position should be closely monitored with other international data transfer solutions such as Binding Corporate Rules also considered.

If you have any questions regarding this update, please contact the following or the Sidley lawyer with whom you usually work:

William Long, Partner
44.20.7360.2061
wlong@sidley.com

John Casanova, Partner
44.20.7360.3739
jcasanova@sidley.com

Edward McNicholas, Partner
1.202.736.8010
emcnicholas@sidley.com

Alan Raul, Partner
1.202.736.8477
araul@sidley.com

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

EmailShare

European Parliament votes on new EU Data Protection Regulation

The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.

The Council of Ministers has also been very active and a compromise text containing amendments to the Proposed Regulation was published in June 2013. The LIBE Committee have during its vote urged the Council to finalize its position quickly. The race is now on to see if the European Commission, the European Parliament and Council of Ministers can agree the text of the proposed Regulation before the European Parliamentary elections in May of next year. The Proposed Regulation once adopted will have a significant impact on governments, businesses and individuals for the rest of this decade and beyond. Based on the latest amendments of the LIBE Committee the main elements of the proposed Regulation are summarized below.

Enforcement

In a surprise move the amount of the maximum fines for non compliance with the proposed Regulation has been dramatically increased, from the Commission’s proposed 2% of annual worldwide turnover, to 5% with an ability for individuals and any association, acting in the public interest, to bring claims for non compliance.

Scope of Regulation

The Regulation will apply to the processing of personal data in the context of the activities of a data controller or a processor in the EU and to a controller or processor not established in the EU, where the processing activities are related to (a) the offering of goods or services to EU citizens; or (b) the monitoring of such individuals. This means that most non EU companies that have EU customers will need to comply with the proposed Regulation once implemented.

One Stop Shop

The latest amendments provide for a new regulatory “one stop shop” so where a company operates in several EU countries the DPA where it is established will be the lead DPA which must consult with other DPAs before taking action which can be decided upon by the European Data Protection Board in the case of a dispute between DPAs.

Profiling

Significantly for online companies under the Regulation, every individual will now have a general right to object to profiling. In addition, the Regulation imposes a new requirement to inform individuals about the right to object to profiling in a “highly visible manner”. Profiling which does significantly affect the interests of an individual can only be carried out under limited circumstances such as with the individual’s consent and should not be automated but involve human assessment. These provisions if adopted could have a major impact on how online companies market their products and services.

Explicit Consent

Consent for processing personal data should be explicit with affirmative action required under the proposed Regulation. So the mere use of a service will not amount to consent. According to the proposal it should also be as easy to withdraw consent as to give it with consent being invalid where given for unspecified data processing. Processing data on children under 13 also requires the consent of the parent or legal guardian. The LIBE Committee also clarified that companies cannot make the execution of a contract or a provision of a service conditional upon the receipt of consent from users to process their data.

Standardized Information Policies

The proposed Regulation requires that certain standardized information should be provided to individuals in the form of symbols or icons similar to those used in the food industry. Individuals should also be informed about how their personal data will be processed and their rights of access to data, rectification and erasure of data and of the right to object to profiling as well as to lodge a complaint with a Data Protection Authority (“DPA”) and to bring legal proceedings.

Right of Erasure

In the latest amendments the “Right to be Forgotten” has been replaced by a “Right of Erasure” giving individuals a right to have their personal data erased where the data is no longer necessary or where they withdraw consent although certain exemptions also apply, such as where data is required for scientific research or for compliance with a legal obligation of EU law.

Accountability

Controllers will be required to adopt all reasonable steps to implement compliance procedures and policies that respect the choices of individuals which should be reviewed every 2 years. Importantly, controllers will need to implement privacy by design throughout the lifecycle of processing from collection of the data to its deletion. In addition, businesses will need to keep detailed documentation of the data being processed and carry out a privacy impact assessment where the processing presents specific risks such as use of health data or where the data involves more than 5,000 individuals with the assessment being reviewed every two years.

Data Protection Officers

Businesses with data on more than 5,000 people in any 12 month period or that process sensitive data, such as health data, will also need to appoint a data protection officer who should have extensive knowledge of data protection and who does not necessarily need to be an employee.

Security and Security Breaches

The controller and the processor will need to implement appropriate technical and organizational security measures. The proposal also requires that security policies contain a number of elements including, for example, a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness. In addition, security breaches will need to be notified to DPAs without undue delay.

Data Transfers

In addition to Binding Corporate Rules and other data transfer solutions a new method allowing for international data transfers of personal data from the EU includes use of a “European Data Protection Seal” awarded by European DPAs for businesses and recipients that are audited for compliance with the Regulation. The latest amendments also re-introduce an important provision requiring that any requests for access to personal data by foreign authorities or courts outside the EU must be authorized by a DPA.

Health Data

The Regulation also has important provisions relating to use of health data including that processing of personal data for scientific research is only permitted with consent subject to exceptions by Member States where the scientific research serves a high public interest with the data either anonymized or pseudonymized under the highest technical standards with measures to prevent re-identification of individuals.

The proposed Regulation reflects the growing concern that governments, regulators and society has to data protection and privacy issues and should continue to be closely monitored as it moves closer to adoption which could take place over the next few months.

 


 

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

EmailShare

The UK Data Protection Authority issues a Code of practice on anonymization

In November 2012, the UK Information Commissioner’s Office (ICO) published a Code of Practice on managing data protection risks related to anonymization. This Code provides a framework for organisations considering using anonymization and explains what it expects from organisations using such processors.

One of the benefits of anonymization is that the onerous data protection obligations under EU data protection laws, including the UK’s Data Protection Act 1998, will not apply to data rendered anonymous such that individuals are no longer identifiable.

As the Code notes, anonymization can allow organisations to make information derived from personal data available in a form that is rich and usable whilst protecting individuals.

The main good practices and recommendations provided in the Code are summarised below:

  • Personal data, anonymization and identification: the Code highlights that the concept of “identify” and therefore “anonymized” is not straightforward because individuals can be identified in numerous ways and re-identification by a third party can also take place. It is therefore crucial for businesses to assess the risk of identification when they decide to disclose anonymized data.
  • Ensuring effectiveness of anonymization: the ICO recommends the use of the “motivated intruder” test to assess the risk of re-identification. This test involves determining whether a “motivated intruder”, who is a person who starts without any prior knowledge but wishes to identify the individual from whose personal data the anonymized data has been derived, would be successful. It can be done by (i) carrying out a web search to verify if date of birth and postcode can lead to the identification of a specific individual; or (ii) using social networks to establish if anonymized data can lead to an individual’s profile.
  • Consent: importantly, the Code provides that consent is generally not needed to legitimize an anonymization process as it could be logistically onerous or even be impossible to obtain such consent.
  • Governance: organisations using anonymization should have in place an effective and comprehensive governance structure that should include (i) a Senior Information Risk Owner (SIRO) with the technical and legal understanding to manage the process, (ii) staff trained to have a clear understanding of anonymization techniques, the risks involved and the means to mitigate them, (iii) procedures for identifying cases where anonymization may be problematic or difficult to achieve in practice, (iv) knowledge management regarding any new guidance or case law that clarifies the legal framework surrounding anonymization, (v) a joint approach with other organisations in their sector or those doing similar work, (vi) use of a privacy impact assessment, (vii) clear information on the organization’s approach on anonymization including how personal data is anonymized and the purpose of the anonymization, the techniques used and whether or not the individual has a choice over the anonymization of its personal data, (viii) review of the consequences of the anonymization programme, and (ix) a disaster recovery procedure should re-identification take place and the individual privacy is compromised.
  • Trusted Third Party: a Trusted Third Party is an organisation which can be used to convert personal data into anonymized data. The Code highlights the value of using a Trusted Third Party arrangement especially where a number of organisations each want to anonymize personal data they hold for use as part of a collaborative project. Use of Trusted Third Party arrangements can facilitate large scale research using data collected by a number of organisations without the organisations involved ever having to access each others’ personal data. It also allows researchers to use anonymized data when the use of personal data is not necessary or appropriate, and can be used to link datasets from separate organisations to create anonymized records for researchers.

The Code also clarifies when the research exemption under the UK Data Protection Act can be relied upon to process personal data for research purposes and concludes with explanations of key anonymization techniques and various case studies such as one on the use of anonymization in clinical studies.

The Code which also sets out other good practices and recommendations is welcome having been published at a time when anonymization techniques and the status of anonymized data are key issues for many industries including digital media, financial services and life sciences. Anonymization and the ability to use data will also remain key issues with the current discussions on the proposed EU Data Protection Regulation and clarity on these issues at an EU level would also be welcome.

For further details on anonymization of personal data please contact William Long (wlong@sidley.com) or John Casanova (jcasanova@sidley.com).


 

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

EmailShare
EmailShare
XSLT Plugin by BMI Calculator