Information Privacy Law
The APEC Privacy Framework nine principles are: (page 1203)
Preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, accountability
Electronic Communications Privacy Act (ECPA) Chapter 3 and page 894
Prevents certain kinds of information collection, use, and disclosure by commercial entities. 1. the Wiretap Act, 18 USC 2510-2522, which regulates the interception of commincations; 2. the Stored Communications Act, which regulates communications in storage and ISP subscriber records, and 3. the Pen Register Act, which regulates the use of pen register and tap and trace devices. The attempts to use ECPA to regulate commercial entities using personal information primarily seek to use the Wiretap Act or the SCA.
Video Privacy Protection Act
Prohibits a video tape service provider from 1. knowingly disclosing to any person. 2. personnally identifiable information concerning any consumer of such provider. 3. except for certain disclosures such as to the consumer law or law enforcement under section 2710(b)(2). 18USC 2710
CASL (Canada's Anti-spam Law)
Prohibits sending unsolicited commercial emails. It requires express consent from a reciepnt before sending emails. Implied consent is recogmized in the case of asn existing business relationship. Forbids the installation of a computer program on another person's computer or causing an email to be sent by such a computer with the installed program and collecting personal information by means of unauthorized access to computer systems. It provides for administrative monetary penalities and private right of action.
Opt-in
Provision establishes a default rule that the company cannot use or disclose personal information without first obtaining the express consent of the individual. (page 829)
Health care clearinghouse
Public or private entity that processes health information into various formats-either into a standard format or into a specialized formats for the needs of the specific entities.
Privacy Shield (p.1189 principles)
Replaced the US-EU Safe Harbor standard. Safeguards data being transferred between the EU and US. Enables US companies to more easily receive personal data from the EU/comply with EU privacy laws. Self-certification process that the company complies with EU data protection standards. Used by any company that collects, stores, or processes personal data between the EU and US companies.
FTC Safeguards Rule (per Gramm-Leach-Bliley Act)
Requires the designation of one employee at the covered entity to manage the company's responsiblities pursuant to tbe Rule. This is an example of industries, laws or regulations that require a designated employee to handle privacy.
Self-Regulation Consumer Privacy
Self-Regulation has formed a key foundation for U.S. Consumer Privacy Law. For example: Businesses post privacy policies on their websites and offer a choice to opt-out of some uses of their data.
California's first data breach notification
Shine the light law allows consumers to obtain from businesses information about the personal data that the businesses disclosed to third parties for direct marketing purposes. (pages 789-790)
FTC Section 5 Enforcement (page 789)
Since mid-1990s the FTC has used section 5 to regulate consumer privacy. Section 5 of the FTC Act to regulate consumer privacy. Section 5 prohibits " unfair or deceptive acts or practices in or affecting commerce."(U.S.C. section 45) The FTC views violations of privacy polices as a "deceptive" practice. It views a number of other practices as "unfair". The FTC's section 5 jurisdiction is quite broad and encompasses most industries ( except for a few carve outs). The FTC has become the dominate agency regulating privacy in the US.
Violations of privacy polices
Since the 1990's the FTC has deemed violations of privacy policies to be "unfair or deceptive" practice under the FTC Act.
Property Law (Information)
Some argue that personal data should be treated akin to property and should be purchased or traded for ifc it is to be used in certain ways.
APEC Privacy Principles "Use Principle":
Specifies that personal information should be used "only to fufill the purposes of collection and other compatible or related purposed, except when used with consent of the individual or pursuant to legal authority. Section 19
HIPPA Privacy Rule
Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.
Privacy Policies
Statements about how a company will use and protect a consumer's private data. Also known as Privacy Notices
Opinion 1/15 (pages 1197_1202)
The ECJ invalidated the proposed PNR agreement between the EU and Canada.
European Data Protection Board's consistency mechanism-Art (68)
The EDPB has the power to make both non-binding recommendations and binding decisions in individual cases. (Art. 65) In case where multiple supervisory authorities are involved and cannot reach consensus.
FTC allowed Privacy policies to create a Quasi-self-regulation
The FTC's involvment has allowed companies to define substantial terms of how they will collect, use, and disclose personal data. Companies are held accountable to those terms by the FTC creating a quasi-self-regulation.
Ordinary Course of Business (VPPA defined)
"debt collection activities, order fulfilment, request processing, and transfer of ownership."
California Consumer Privacy Sct (CCPA)
1 Right to know 2 Right to delete 3. Right to opt-out 4. Right to non-discrimination for exercising their CCPA rights 5. Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.
Privacy Shields four core principles page 1193
1. Data Integrity 2.Purpose Limitation "Choice". 3. Enforcement 4. Oversight
3 things the FTC requires a company to do when hiring a data service provider (per GMR CASE pg. 872)
1. Exercise due diligence before hiring third parties. 2. Have appropriate protections of data in their contracts with data servi e providers. 3. Take steps to verify the data service providers are adequately protecting data.
Intrusion Tort
1. Intrusion into a private place conversion or matter. 2. in a manner highly offensive to a reasonable person.
FTC Privacy Shield Enforcement Powers
1. Referral prioritization and investigations. 2. Addressed false or deceptive Privacy Shield 3. continued order monitoring 4. Enhanced engagement and enforcement cooperation with EU data protection authorities.
Three Predominate PII Approaches (Definitions):
1. Tautological 2. Non-public 3. specific types
FTC Consent Decrees contain the following elements (851)
1. prohibition on the activities in violation of the FTC. 2. steps to remediate problematic activities , such as software patches or notice to consumers. 3. Deletion of wrongfully-obtained consumer data. 4. modifications to privacy polices. 5. establishment of a person to coordinate the program, and employee training, amoung other things. 6. biennial assessment reports by independent auditors. 7. recordkeeping to facilitate FTC enforcement of the order. 8. obligation to alert the FTC of any material changes in the company that might affect compliance obligations (such as mergers or bankruptcy filings).
Business Associate
A person or entity, who on behalf of the covered entity, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.
Controller
A person or organization which, alone or jointly with others, determines the purpose and means of the processing of personal data.
Privacy Program
A privacy program typically has both elements involving compliance and strategy.
Habeas Data
A special judicial measure that permits any person to know the content and purpose of the data pertaining to him/her in public records or certain private records. It permit an individual to find out what information is held about them and gain certain traditional information prrivacy rights with respwct to that data.
Omibus Laws
Act as a general safety net in Europe and other countries for areas or regulatory issues that sectoral statutes may not address.
Video tape service provider (VPPA)
Amy person, engaged in the business, in or affecting interstate or foriegn commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.
Federal Data Protection Act (FDPA) Mexico (page 1207) (general information privacy law)
An omnibus law, following the EU model, requires a lawful basis for collecting, processing, and disclosing personal information. It requires that all personal data be kept accurate and update dated and used only for tge purposes for which it was collected. The statute embodies the "habeas data" which is the idea that the individual to whom the data refers is treated as a "data owner" with legal rights, such as those of access, that derive from this status.
Writ of mandamus
An order from a court to an inferior government official ordering the government official to properly fulfill their official duties or correct an abuse of discretion.
Protected Health Information (PHI)
Any information whether oral or recorded in any form or medium, that "is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past present, or future payment for the provision of health care to an individual."
Processing of personal data
Any operation or set of operations which is performed upon personal data, whether ir not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
Omnibus Rule definition of a Business Associate
Any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
HIPPA regulations
Apply to health plans, healthcare clearinghouses, and health care providers which are considered covered entities,
Data Subject
Art. 7(1) An EU term of art that refers to "an identified or identifiable natural person."
APEC
Asia-Pacific Economic Cooperation
Californias other privacy laws
Black box notification in rental cars. Confidentiality of Medical Information Act (CMIA)-General health information privacy law for the state. Song-Beverly Credit CardAct- Limits the kinds of personal information collected by companies that accept credit cards. State statues that rely on PII as a juris trigger include the Song-Beverly Act and many data security breach notification laws. These laws share the same basic assumption-absence of PII, and there is no Privacy.
Privacy on the ground(Page 788 Bamberger and Mulligan)
CPO's emphasized the importance of "company law". Company law is a consistent and coordinated firm-specific global privacy policies intended to ensure that a firm both complies with the requirements of all relevant jurisdictions and acts concordantly when dealing with addituonal business issues not governed by any particular regulation.
PIPEDA (Personal Information Protection and Electronic Documents Act)
Canada's privacy law which extends to all "personal information" used in connection with any commercial activity. It is retroactive and applies to non-Canadian entities.
Federal Regulations that turn on PII
Children's Online Privacy Protection Act Gramm-Leach-Bliley Act HITECH Act Video Privacy Protection Act
Standard Contract Clauses(SCC's)(AfterShrems)
Companies that follow these "off-the-rack" terms for a given data transfer will be considered to have met the EU's adequacy standard.
CBPR (APEC)
Cross Border Privacy Rules elements: 1. Self Assessment 2. Compliance Review 3. Recognition/Acceptance 4. dispute resolution and enforcement. Currently 3 countries are participating: Japan, US and Mexico. FTC is the main enforcement. See page 1204 for details of ther elements.
Personal data or personal information
Data about an identified or identifiable individual that are within scope of the Directive, received by an organization in the U.S. from the EU amd recorded in any form.
Tautological
Defines PII as any information that identifies a person. The Video Privacy Protection Act demostrates this model (Page 794)
Chief Privacy Officer (CPO)
Developes a privacy program within an institution (Compliance and Strategy(. Often helps manage not only the information companies have about consumers but also the data maintained about the workforce.
Consumer Data Privacy-Sectoral Laws
Different laws regulate different industries (various sectors of the economy)
APEC Cross Border Cooperation
Does not affect "the right of Member Economies to decline or limit cooperation on particular investigations or grounds yhat compliance with a request for cooperation would be inconsistent with domedtic laws, policies or priorities, or ground of resource constraints, or based on the absence of a mutual interest in the investigations in question (Paragraph 44)
Shrems v. Data Protection Commissioner European Court of Justice (Oct 2015)
ECJ struck down the Safe Harbor arrangement with the US. This opinion takes decisive steps to develop EU constitutional law of data protection. ECJ called for a standard of "essentially equivalent" protection in looking at the totality of protection in the third-party nation. 1. ECJ identified a violation of Article 7 of the Charter by Safe Harbor's providing access to the US Government of the Charter by the Safe Harbor's providing access to the US Government of the data of EU citizens. 2. Luxemburg Court observed that an "adequate level of protection of fundamental rights and freedomd that is essentially equivalent to that guaranteed within the "EU". 3. The Charter's Article 8(1) and (3) safeguarded the "complete independence" of data protection commissioners. ECJ invalidated the Safe Harbor for its failure to meet the adequacy standard.
Binding Corporate Rules (BCR's) (AfterShrems)
EU permits as a means to meet the Directive's "adequacy test" if approved by a supervisory authority. These can only be used when international data transfers occur within a single company or a group of affiliated companies. (Art. 47) (p. 1186)
Omnibus Approach to Regulate Privacy
Europe and many other countries regulate privacy using one overarching statute to regulate personal information irrespective of the industry that wishes to process the information.
CPO LEADERSHIP
Firms with CPO's have adopted a dynamic approach to privacy issues which stresses the importance of integrating practices into corporate decision-making that would prevent the violatio of consumer e,expectation.
EU-US Privacy Shield Framework( p. 1188)
For use solely by organizations in tge U.S. receiving personal data from the EU for purpose of qualifying Privacy Shield and therefore benefiting from the European Commission's adequacy decision. 1. An organization must self certify its adherence to the principles that ensure that EU data subjects continue to benefit from effective safeguards and protection as required by European legislation with respect to processing of their personal data when transferred to non-EU countries. (The U.S.) The Department of Commerce issued the Privacy Shield Principles. a.) Although entering into Privacy Shield is voluntary, effective ompliance is compulsory. Be subject to investigatory and enforcement powers ofc the FTC, Department of Transportation or other statutory body that ensures compliance. b.) Companies must publicy declare its commitment to comply with principles. c.) Publicy disclose it's privacy policies in line with these principles. d.) Fully implement the Privacy Shield privacy policies. Note: An organizations failure to comply is enforceable under Section 5 of the FTC Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C section 45 (a)) or other laws or regulations prohibiting such acts. The Department of Commerce shall maintain and make available an authoritative list of U.S. of organizations that have self certified and declared their commitment. The Department of Commerce shall maintain and make available an authoritative list of U.S. of organizations that have self certified and declared their commitment. and have been removed from the list. Adherence to the principles may be limited: a. Due to national security interests, public interest or law enforcement requirements. b. By statute, government regulation, or case law that creates conflicting obligations or explicit authorizations that can show it's non-compliance to the Principles is limited to an overriding legitimate interest furthered by authorization. c. The Member States law allow exceptions or derogations provided they are applied in comparable contexts. Consistent eith the role of enhancing privacy protections. d. Where the option is a allowable under Principles and/or other U.S. law, organizations are expected to opt for the higher protection where possiblel
FDPA Data Owners (Mexico)
Have rights to initiate claims and procedures pursuant to the statute begining 18 months after its enactment. (July 15, 2010)
HITECH Act of 2009
Health Information Technology for Economic and Clinical Health Act purpose was to facilitate the move to electronic health records. It mandated higher penalties for violations, made many more organizations subject to HHS enforcement and required HHS to conduct audits of HIPPA compliance. It contains the first federal data breach notification requirement. It requires notification of affect individuals "without reasonable delay" and not later than 60 days after discovery of the breach.
Omnibus Final Rule
In 2013 HHS issued a regulation to implement the changes mandated by the HITECH Act.
Contract Law (page 788)
In many instances companies have a privacy policy that specifies how that information is to be collected, used, or disclosed.
Privacy Enforcement Agent (APEC-CPBR)
In the US it is the FTC. The FTC is to take enforcement actions under applicable domestic laes and regulations.
U.S. Privacy Law
Lacks a uniform definition of the term and has multiple competing definitions, each with significant problems and limitations.
Privacy Act (Canada)
Like the US law. The Canadian Law limits the collection, use, and disclosure of information by federal government's entities and vests powers on the Privacy Commissioner to receive and investigate complaints, initiate an investigation on its own initiative, and to make findings and recommendations to government institutions.
State Statutory Regulation
Many states have passed sectoral legislation regulating business records and databases. State statues are sometimes stronger than federal. State statutes play a key role in protection of privacy. California can be said to have the strongest privacy law in the U.S. California statutes tend to protect personal data of California residents regardless of where the data processing occurs.
Opt-Out
Means a consumer's information will be processed unless she takes action to contact the data processing entity and indicate her contrary wishes.
Strategy (Privacy Program)
Means assessing privacy risks, training the workforce about privacy awareness, helping to shape products and services so that they minimize any potential privacy concerns and stopping or limiting a company's actions that consumers might find too privacy- invasive.
Compliance (Privacy Program)
Means developing safeguards, including training the workforce to make sure that the company follows all privacy and security laws and regulations.
Song Beverly Act
One of the most important State Privacy Laws. This law prevents business from requesting "personal identification information" during credit card transactions. Pineda-v. Williams-Sonoma Stores (Cal. 2011) page 795
HIPPA Security Rule
Operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called "covered entities" must put in place to secure individuals electronic protected health information (e-PHI).
OECD
Organization for Economic Cooperation and Development
PNR Data
Passenget Name, Record is information gathered by the airline and held by aircarriers. (p. 1197-1198)
Federal Rules of Civil Procedure (Page 1174)
Permit discovery of all information relevant to a claim or defense and define relevancy broadly.
HIPPA (Health Insurance Portability and Accountability Act)
Permits employees to change jobs without having their new health plan exclude preexisting conditions.
PII
Personally Identifiable Information is one of the most central concepts in privacy regulation. PII defines the scope and boundaries of a large range of privacy statues amd regulations.
General Data Protection Regulation (GDPR)
The GDPR is a directly binding statute that recognizes privacy as a human right and the high status of the individual. It is a directly enforceable statute that has the effect of independent national law and overrides contrary national laws. The GDPR has strong individual rights protections and limits the sweep of individual content and restricts the processing of sensitive data and the use of "automated decision-making. There must be a legal basis for processing of personal data. The principles of the GDPR require that information be: 1) "processed lawfully, fairly and in a transparent manner". 2) "collected for specified , explicit and legitimate purposes and not further processed in manner that is incompatible with those purposes. (Purpose limitation Art. 5) 3) Data minimization 4) Data Accuracy 5) Limited Storage 6) Integrity 7) Data security 8) Accountability for the data controller. In Article 51, the GDPR contains strong protections 9) Independent data protection authorities GDPR provides a right of correction (including incomplete data to be completed), imposes temporal limits on data use and a right of erasure. Consent to process personal data must be freely given, specific, informed and unambiguous. Further restricts for data of and sensitive information children. Consent can withdrawn at anytime. The burden of demonstrating consent is on the controller. (Art. 12)(5). The controller must demonstrate the data subject has consented to the processing of personal data. A contract cannot tie consent for an initial data processing operation to a second one. (Art. 7(b)) Monetary Fines are to be effective, proportionate and dissuasive. The "supervisory authorities" of Member States (commissions or commissioners) have the power to levy such fines. The amount of such fines are determined by the following factors: the nature, gravity and duration of the infringement, scope, or purpose of the processing concerned as well as the number of intentional or negligent character of the infringement. The GDPR permits fines under certain circumstances to reach as much as four percent of a company's worldwide revenues. (The requirement fines be proportionate may call into question the validity of a 4% fine of worldwide revenue.) Supervisory Authorities must be independent with the authority to perform its tasks and exercising powers in accordance with the regulation. (Note: It must be provided with all the resources necessary for effective performance of its tasks and the ability to exercise its powers.
Non-Public Approach
The Gramm-Leach-Bliley Act epitomizes this approach by defining "personally identifiable financial information" as "non-public personal information." The statute fails to define "non-public". Non-public is presumed that it is not found in the public domain. (page 795)
Privacy Regulation focuses on
The collection, use, and disclosure of PII and leaves non- PII unregulated.
Illinois Biometric Information Privacy Act (BIPA)
The public welfare, security and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.
Federal Statutory Regulatory
There are numerous federal statutes pertaining to consumer privacy . The US follows a sectoral approach, so statues differ in different industries and some industries lack their own law.
Privacy Notice (US)
This a privacy policy that describes the ways in which personal data will be collected, used or disclosed. Consumers may be given the choice to opt-in or opt-out of certain uses or disclosures.
Specific Types Approach
This means to list specific types of of data that constitute PII. The Children's Online Privacy (COPPA) Protection Act illustrates this approach. COPPA stayes that personal information is "individually identifiable about an individual collected online" that includes a number of elements: First Name Last Name Physical Address Social Security Number Telephone Number Email address Also, any other identifier that the FTC determines permits the physical or online contacting of a specific individual. A limitation is that it can fail to respond to new technology, which is capable of transforming the kinds of data that are PII.
Tort law
Tort law provides remedies for acts that cause personal injury but not for acts that interfere with physical security. Tort law has been used in privacy cases by plantiffs in response to various forms of data colection, use, or disclosure. Attempts to use the Warren and Brandeis privacy torts, which were originally developed to address issues involving privacy and the media, as well as other torts, such as negligence.
EU's Article 29
Working Party and officials from APEC member countries released a data transfer interoperability map. The interoperability map seeks to compare, or map the differences in the system and find ways to move to interoperability. It provides a checklist for oraganizations applying for authorization of Binding Corporate Rules and/or certification of CPBR. The joint document termed "referential" does not represent a mutual recognition by the two systems but to streamline the process if double certificationo
Business Associate Agreement (BA)
Written agreement requiring entities to follow HIPAA PHI privacy rules. Are directly liable for complaince with certain aspects of the HIPPA Privacy and Security Rules and makes these entities subject to HIPPA and HHS enforcementn
Healthcare Provider
a provider of medical or health services and any other person or organization who furnishes bills or is paid for healthcare in the normal course of business
Gramm-Leach-Bliley Act of 1999 (page 773)
authorizes widespread sharing of personal information by financial institutions such as banks, insurers, and investiment companies. The law permits sharing of personal infornation between companies that are joined together or affiliated aswell as sharing between unaffiliated companies. To protect privacy the Act requires a variety of agencies (FTC, Comptroller of Currency SEC, and others) to establish "approrpriate standards for the finanacial institutions" subject to their jurisdiction" and "protect against unauthorized access" 15 USC section 6801. Note: The privacy provisions (GLBA) only apply to "nonpublic personal information" that consists of "personally identifiable financial information". Thus the the only protects financial information that is not public.
APEC Integrity principle
calls for information to be completely up-to-date "to the extent necessary for the purposes of use," Paragraph 21
Opt Out provision
establishes a default rule that the company can use or disclose personal information in the ways it desires so ling as the consumer does not indicate otherwise. The consumer must take affirmative steps such a checking a box or writing a letter toopt out.
The Wiretap Act (1968)
generally prohibits the interception of wire, oral, or electronic communications. It provides a private right of action against anyone who intentionally intercepts, endevors to intercept, or procures any other person to intercept or endevor to intercept, any wire, oral or electronic communication. (page 896)
Health Plan
individual or group plan that provides or pays the cost of medical care.
Accountabilty Agent (CPBR)
is an organization that plays the role of certifying that a participating company is compliant with the requirements of the CPBR program. In the US it is TRUSTe.
PIPEDA (Personal Information Protection and Electronic Documents Act) (page 1205)
is based on OECD Privacy Guidelines and Canadian Standards Association (CSA) Model Code for Protection of Personal Information
Intrusion upon seclusion
physically or technologically disturbing another's reasonable expectation of privacy. If the intrusion would be highly offensive to a reasonable person.
Children's Online Privacy Protection Act (COPPA) 1998 (page 888)
regulates the collection and use of children's information by Internet websites. Applies to websites that collect personal information from children under age 13. It does apply to to information collected from adults about chldren under 13, only spplies to personal data collected directly from children.
Gramm-Leach-Bliley Act
requires certain types of companies (financial institutions, insurance companies, and brokerage companies) to maintain privacy policies.
Privacy Notice Guidelines (Merxico-2013)
requires consent is obtained and data privacy notices are provided before information is collected from a person, whether directly or through erlectronic means, such as cookies. The guidelines provide a framework for full notice, simplified notice and short notice depending on the circumstances of the information collected.
(Personal Information Protection and Electronic Documents Act)
requires individual consent prior to collection, use, or disclosure of personal data. Includes the OECD purpose specification principle, security safeguard principle, openess principle, accountibilty principle and data quality principle, etc... Empowers the Privacy Commissioner of Canada to investigate citizens complaints and to conduct audits. (page: 1206)
Telephone Consumer Protections Act (TCPA) page 912, 913
requires the FCC to promulgate rules to "protect residential telephone subscribers privacy rights and avoid recieving telephone solicitatiobs to which they object. The FCC is authorized ti require tgat a single national database be established of resiemtial subscribers who object to receiving telerphone solicitations. Creates a private right of action.
GLBA Safeguards Rule
requires the FTC and other agencies to establish security standards for nonpublic personal information. Financial institutions shall develop, implement, and maintain a comprehensive information security program that is appropriate to the "size and complexity of the institution, the "nature and scope" of the institution's activities, ans "sensitivity of any customer information at issue." An information security program is defined as "the administrative, technical, or physical safeguards [an institution uses] to access, collect, distribute, process, store, use, transmitt, dispose of, or otherwise handle customer information. (page 774)
