Information Intersection > Troutman Sanders LLP

FTC Reverses ALJ, Finds that LabMD Violated Section 5 of FTC Act

BY RONALD I. RAETHER, JR., MARK C. MAO AND RYAN A. LEWIS

Reversing the findings of an Administrative Law Judge, the FTC has found that LabMD, Inc., a former provider of clinical laboratory testing services to physicians, violated Section 5 of the FTC Act by failing to maintain proper data security practices.  The final order, issued on July 29, is notable in its position suggesting that the FTC has broad power to regulate even the extremely limited disclosure of personal medical information.

LabMD operated as a provider of laboratory testing services for physicians from 2001 to 2014.  The company maintained sensitive patient samples and testing information.  In 2013, the FTC issued a complaint against LabMD, which alleged that LabMD failed to provide reasonable and appropriate security for personal information stored on its computer network.  The complaint was based on an alleged vulnerability identified in 2008 by a forensic analyst working for Tiversa, a data security company.  While the Office of Civil Rights might be expected to take charge had the event happened today, the FTC asserted jurisdiction.

The Tiversa analyst allegedly located a copy of a LabMD insurance aging report via a peer-to-peer (P2P) application.  The file, referred to in the opinion as the “1718” file, supposedly contained “1,718 pages of sensitive personal information for approximately 9,300 consumers, including their names, dates of birth, social security numbers, ‘CPT’ codes designating specific medical tests and procedures for lab tests conducted by LabMD, and, in some instances, health insurance company names, addresses, and policy numbers.”  The forensic analyst alleges that he was also able to download other shared files from the same LabMD IP address.  The 1718 file was allegedly exposed because a LabMD billing manager was given administrator rights and downloaded a P2P application to her computer.  The billing manager had allowed the P2P application to share the entire contents of her “My Documents” folder with other users.

The ALJ held that under Section 5(n), LabMD’s computer data security practices had not been shown to have “caused” or have been “likely to cause” “substantial consumer injury” sufficient to invoke the FTC’s jurisdiction.  In pertinent part, the ALJ found that the limited disclosure of the 1718 file to Tiversa (and to an affiliated academic researcher) did not constitute sufficient injury under Section 5(n).  The ALJ also noted that Complaint Counsel relied on unsubstantiated evidence provided by Tiversa in bringing its original complaint.

In reversing the ALJ, the Commission determined that the ALJ improperly interpreted Section 5(n) of the FTC Act, and it disagreed with the ALJ’s findings.  Specifically, the Commission found that LabMD’s unauthorized disclosure of the 1718 file itself caused substantial injury under Section 5(n), even though the 1718 file disclosure was limited to only Tiversa and one other researcher.  The Commission noted that “substantial” consumer injury under Section 5(n) could include “an intangible but very real harm like a privacy harm resulting from the disclosure of sensitive health or medical information.”  The mere disclosure of the 1718 file itself was therefore sufficient injury under Section 5(n).

Further, the Commission concluded that the disclosure of the 1718 file via a peer-to-peer file sharing application “was likely to cause substantial injury and that the disclosure of sensitive medical information did cause substantial injury” under Section 5(n).  The opinion noted that physical or economic harm was not required, at least when medical information is at issue.  “[T]he disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).”  Finally, as to whether substantial injury was “likely” to occur, the Commission stated that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

The Commission also pointed to specific shortcomings in the company’s data security procedures.  Those issues included LabMD’s failure to employ adequate risk assessment tools, including intrusion detection, file integrity monitoring, and penetration testing.  The opinion also noted that LabMD failed to provide data security training to its employees, and that it failed to adequately restrict or monitor employee administrator access.  The Commission also stated that the security tools LabMD had used to mitigate risk were inadequate under the circumstances, and that its “antivirus programs, firewall logs, and manual computer inspections … could identify only a limited scope of vulnerabilities” and were often used ineffectively.

The problem with the Commission’s ruling is that it turned the “likely to cause substantial consumer injury” test on its head, finding unfairness where an unlikely risk may be theoretically large in potential scope.  This conclusion is at odds with the statutory requirement that there was actual – or even likely – harm.  The test for jurisdiction under Section 5 in no way suggests that the likelihood of harm test (causation) requires a lower standard if the consumer injury is somehow potentially more “substantial.”

LabMD has 60 days in which to file a petition for review of the FTC’s decision with the U.S. Court of Appeals.  Michael Daugherty, president and CEO of now-defunct LabMD,  recently expressed his desire to take the legal battle to federal court on appeal.

August 8, 2016   No Comments

Court Dismisses TCPA Claim Because Text Messaging App Does Not “Make” Calls

BY DAVID M. GETTINGS, TIM J. ST. GEORGE, ALAN D. WINGFIELD AND DAVID N. ANTHONY

In Cour v. Life360, Inc., the United States District Court for the Northern District of California granted a defendant’s motion to dismiss a claim under the  Telephone Consumer Protection Act, finding that the defendant’s system for sending text messages did not constitute “making” a call under the statute.  In reaching its decision, the Court advanced a narrow interpretation of what it means to “make” a call under the TCPA.

Cour involved allegedly unsolicited text messages.  According to the plaintiff, he received a text message from Life360 saying “TJ, check this out….”, despite not being a Life360 user and never downloading the Life360 app.  Because he claimed that this text message was unwelcome, the plaintiff sued Life360 for allegedly “mak[ing]” a call without express consent – a practice generally restricted under the TCPA.

For purposes of the Court’s decision, it presumed that Life360 works in the following manner: (1) Life360 asks users for permission to access their phone’s contacts; (2) users who allow such access are brought to a screen giving them the option to “add members;” (3) users are then given the option to “invite” specific members of their contacts to join Life360; and (4) Life360 sends text messages to those contacts “invited” by a member.

In deciding to dismiss the plaintiff’s claims, the Court’s analysis turned on whether Life360 “makes” calls under the TCPA.  It held that Life360 does not.  According to the Court, the fact that Life360 requires users to choose which of their contacts should receive an invitation, and then requires users to press the “invite” button before the text message is sent, means that Life360 is not making “calls” under the TCPA.

In reaching this conclusion, the Court was guided by the Federal Communication Commission’s July 10, 2015 order, wherein the FCC analyzed whether two companies, TextMe and Glide, “make” calls under the TCPA.  The Court found the FCC’s analysis “[o]f particular relevance” because it clarified for the Court the type of actions that constitute “making” calls in the context of apps sending invitational text messages.  For example, the Court noted the FCC’s conclusion in an analogous situation that the “app user’s actions and choices effectively program the cloud-based dialer to such an extent that he or she is so involved in the making of the call as to be deemed the initiator of the call … .”

Ultimately, in the Court’s view, the goal of the TCPA is to prevent the invasion of privacy.  When considering the facts of the case and the FCC’s interpretation of the TCPA, the Court concluded that the person who chooses to send an unwanted invitation through Life360, and not Life 360 itself, “is responsible for invading the recipient’s privacy.”  As a result, the Court dismissed the plaintiff’s TCPA claims.

August 3, 2016   No Comments

Urban Outfitters, Anthropologie Dodge Putative ZIP Code Class Action Under Spokeo

BY RONALD I. RAETHER, JR., MARK C. MAO AND RYAN A. LEWIS

The Court of Appeals for the District of Columbia shot down a putative class action brought against Urban Outfitters, Inc., and Anthropologie, Inc., which had alleged that the companies violated D.C. consumer protection statutes by collecting customer ZIP code information during in-store checkout.  The July 26 rulingremanded the suit for dismissal, and held that Plaintiffs failed to establish Article III standing under the Supreme Court’s recent decision in Spokeo.  The ruling highlights the continuing obstacles facing would-be class action plaintiffs under Spokeo.

Plaintiffs Whitney Hancock and Jamie White brought the action against the retailers for alleged violations of the District of Columbia’s Use of Consumer Identification Information Act (the “Identification Act”) and its Consumer Protection Procedures Act (the “Protection Act”).  Specifically, Plaintiffs alleged that Defendants’ request for ZIP codes at checkout violated the Identification Act’s ban on obtaining addresses as a condition of a credit card transaction.  Plaintiffs further claimed that the request for ZIP codes violated the Protection Act by, among other things, falsely implying to consumers that disclosure of the ZIP codes is required to complete a credit card transaction.

Quoting Spokeo, the court dismissed Plaintiffs’ statutory claims.  “The complaint here does not get out of the starting gate.  It fails to allege that Hancock or White suffered any cognizable injury as a result of the [ZIP] code disclosures.”  The court noted that Plaintiffs’ counsel admitted that the only alleged injury was that Plaintiffs were asked for a ZIP code, when under D.C. law they should not have been.  “The Supreme Court’s decision inSpokeo thus closes the door on Hancock and White’s claim that the Stores’ mere request for a [ZIP] code, standing alone, amounted to an Article III injury.  Spokeo held that plaintiffs must have suffered an actual (or imminent) injury that is both particularized and ‘concrete … even in the context of a statutory violation.’”

In the wake of Spokeo, it is clear that plaintiffs cannot allege mere “bare procedural” statutory harm to establish Article III standing.  Spokeo mandates allegations of a concrete harm.  The Spokeo decision continues to aid defendants in dodging putative class actions before they get out of “the starting gate.”  This blog’s further discussion of the Spokeo decision can be found here.

August 1, 2016   No Comments

Federal Judge Denies Hearst Communications’ Motion to Dismiss Privacy Lawsuit

Federal courts continue to interpret and analyze the Supreme Court’s decision in Spokeo, Inc. v. Robins Recently, a federal judge in New York permitted a lawsuit against Hearst Communications, Inc., to move forward after considering supplemental briefing on Article III standing.  

Plaintiffs Suzanne Boelter and Josephine Edwards subscribe to magazines published by Hearst.  Plaintiffs claim that Hearst sold their personal information to third parties, without their consent, in violation of Michigan’s Video Rental Privacy Act (“VRPA”).  Hearst asked the court to dismiss the complaint for lack of Article III standing, arguing that Plaintiffs failed to allege any concrete injury-in-fact and instead relied on bare procedural violations of the law.  In response, Plaintiffs argued that Hearst’s disclosure of information implicated their right to privacy and personal security.  Plaintiffs also claimed that as a result of Hearst’s actions, they suffered actual injury because they overpaid for magazine subscriptions and received junk mail and telephone solicitations.

Judge Analisa Torres denied Hearst’s motion to dismiss, holding that Plaintiffs allegations qualified as particularized and concrete harm, and that they adequately alleged “injury-in-fact.”  Taking the allegations as true, the Court held that Hearst’s sale and disclosure of personal information to third parties violated Plaintiffs’ right to keep their information private, subjected Plaintiffs to unwanted solicitations, and resulted in Hearst’s unjust retention of economic benefits.  Judge Torres also denied the motion to dismiss on other grounds, including that the VRPA was constitutional and that the complaint stated a plausible claim for relief.

There is no doubt that plaintiffs’ bar will continue to disagree about the implications of Spokeo.  However, as Judge Torres acknowledged, “violation of a statute by itself is insufficient to confer standing to sue,” and it is clear that to satisfy Article III standing plaintiffs must allege a concrete and consequential harm beyond a mere technical violation of a statute.  Accordingly, defendants should anticipate that clever plaintiffs will continue to create theories of harm that attempt to sidestep the lack of tangible injury—such as those made by Plaintiffs inHearst of “unjust enrichment” and “invasion of privacy.”

July 29, 2016   No Comments

Microsoft Prevails in Second Circuit Stored Communications Act Warrant Ruling

Microsoft prevailed in its appeal to the Second Circuit from an order denying its motion to quash a warrant seeking a Microsoft user’s email stored on the company’s servers in Ireland.  The ruling sets important precedent limiting the extraterritorial reach of the federal government in seeking to compel disclosure of private company data under the Stored Communications Act (“SCA”).  Microsoft received high profile support in its appeal, with the likes of Apple, AT&T, Amazon, Verizon Communications, Cisco, and the country of Ireland joining as amici curiae.

The ruling may also help bolster the credibility of the fledgling EU-U.S. Privacy Shield data transfer agreement, which has been criticized by European regulators for not adequately safeguarding EU personal data from U.S. government scrutiny.  Privacy Shield’s predecessor, Safe Harbor, was struck down by the European Court of Justice over similar concerns.  European regulators have so far signaled reluctant acceptance of Privacy Shield, but issues like automated data profiling continue to cause worries.  The ruling by the Second Circuit may help to allay some fears over the staying power of Privacy Shield.

The July 14 ruling by Judge Susan L. Carney of the United States Court of Appeals for the Second Circuit reversed the denial by the District Court for the Southern District of New York of Microsoft’s motion to quash, and vacated the court’s finding of civil contempt for Microsoft’s failure to comply with the warrant.

Judge Carney’s ruling emphasized the SCA’s intended focus on safeguarding privacy in stored electronic communications.  “Contrary to the government’s contention, this section does more than merely protect against the disclosure of information by third parties.  By prohibiting the alteration or blocking of access to stored communications, this section also shelters the communications’ integrity.”  Importantly, Judge Carney held that a “warrant” issued under the SCA is subject to traditional territorial limitations and constitutional requirements, including the presumption against extraterritoriality, and is not akin to a subpoena.

The warrant served on Microsoft was issued by a United States magistrate judge as part of a narcotics investigation into an unnamed individual.  The warrant directed Microsoft to seize and produce the contents of the individual’s Microsoft Outlook “@msn.com” email account.  The individual’s non-content information was stored on servers in the United States.  The individual’s content information, however, was stored on servers in Ireland, as Microsoft generally stores content at datacenters located near the physical location identified by the user.

Microsoft complied with the warrant in part and produced the individual’s U.S.-based non-content information.  Microsoft refused to produce the customer content stored on its servers in Ireland, however, and moved to quash the warrant.  Microsoft’s motion subsequently was denied by the District Court, and the company was eventually held in civil contempt.

In presenting its case, the federal government argued that similar to a subpoena, an SCA warrant requires the recipient to deliver records to the government regardless of where the records are located, so long as they are in the recipient’s custody and control.  Microsoft swayed the court in asserting that an SCA warrant is subject to the same territorial boundaries as a traditional warrant.  Judge Carney also noted that the federal government conceded that the warrant provisions of the SCA do not contemplate or permit extraterritorial application.  The court further pointed out that the SCA itself draws a distinction between “subpoena” and “warrant”, with the latter providing a greater degree of privacy protection.

The federal government also contended that preventing SCA warrants from reaching data stored abroad would seriously impede law enforcement efforts, and that the current process for obtaining such information, using Mutual Legal Assistance Treaties (“MLATs”), is overly cumbersome.  Judge Carney dismissed this argument, noting that international comity and the text of the SCA supported limiting the scope of a warrant under the SCA.

The Second Circuit’s ruling can be seen as a win for companies concerned about maintaining user privacy and curbing law enforcement’s reach into private user data.  The ruling limits law enforcement’s ability to compel host companies like Microsoft to produce private user data stored abroad.

 

July 25, 2016   No Comments

Microsoft Fix for MiTM Security Patch Reveals Need for Thoughtful Patching Procedures

Most organizations understand the importance of timely implementing software updates and patches.  However, open platforms have permitted a level of customization such that a patch in one application may have unintended consequences in other parts of the overall system architecture, including customization of the software being updated.  A good example is the recent Microsoft security patch released in June that resulted in problems with many users’ Group Policy objects (“GPOs”).  While Microsoft issued guidance on July 5 as to how to repair the Group Policy problems caused by the patch, the experience is an example of unintended consequences that can arise during routine product security updates.

Group Policy is Microsoft’s tool for managing user and computer settings on certain networks.  In other words, Group Policy determines which users and devices get access to the sensitive data of the company (and the applications), or have the authority to make changes to the system (the “keys to the kingdom”).  Microsoft reportedly was beset with a bevy of complaints from users reporting network and user access issues caused by the patch.

The patch, released on June 14, resolved a vulnerability that could allow elevation of privilege in the event of a “man-in-the-middle” (“MiTM”) attack against traffic passing between a domain controller and a target machine.  Generally speaking, a MiTM attack is an attack on authentication protocol in which the attacker positions itself between two parties so as to intercept (and possibly alter) the data traveling between them.   According to Microsoft, if a MiTM attack were underway, an attacker could create a group policy to grant administrator rights to a standard user.

Microsoft’s June patch addressed the vulnerability by enforcing Kerberos authentication for certain calls over Lightweight Directory Access Protocol (“LDAP”), but it had the additional effect of breaking many users’ Group Policy Objects.  In other words, the patch limited an exploit of an outside hacker, but in doing so potentially gave internal users, qualified only for limited permissions, unfettered access to system controls.  In simplified terms, where a user normally would have only “read” rights, taking down the GPO could grant that user read, write, and edit rights.

While the debate initially involved whether the unintended consequence of the patch was the fault of Microsoft or the users, in the event of a breach, the debate makes little difference to the affected company.  Careful and thoughtful consideration is required to balance the complexities of an information security program.  Understanding the implications of an update and patch policy (which to most may seem simple), is just the beginning.

July 18, 2016   No Comments

FTC Issues APEC CBPRs Warning Letters to Companies Claiming Compliance

The FTC issued warning letters to 28 companies that allegedly advertised participation in the Asia-Pacific Economic Cooperative Cross-Border Privacy Rules system (“APEC CBPRs”), but had not received the requisite certification.  A company seeking to participate in the CBPR system must first have its compliance established by an APEC-recognized accountability agent.

The APEC CBPRs is a voluntary, self-regulated system developed by participating APEC countries, including the United States. The system requires participating businesses to develop and implement data privacy policies consistent with the APEC Privacy Framework.  The framework is based on nine data privacy principles: preventing harm, notice, collection limitation, use,  choice, integrity, security safeguards, access and correction, and accountability.  Companies certified under the system appear on the CBPRs website.

In the United States, the FTC enforces the APEC CBPR system under the FTC Act. The FTC has demanded that the 28 companies remove the claims regarding APEC CBPR from their websites immediately, and to confirm with the FTC that they have done so or that they are, in fact, certified.

This is not the first time that the FTC has targeted companies over false APEC CBPRs representations. In May of this year, a San Francisco-based manufacturer of hand-held vaporizers settled with the FTC over charges that it deceived consumers about its participation in APEC CBPRs.  Under the terms of the settlement, the company is prohibited from misrepresenting its participation, membership, or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.

FTC enforcement actions have not been limited to the APEC CBPRs. In August 2015, the FTC charged 13 U.S. Companies with misrepresenting that they were compliant with the US-EU Safe Harbor framework, when company certifications had lapsed or certifications had not been applied for at all.

July 18, 2016   No Comments

Class Action Data Breach Complaint Against Wendy’s Dismissed for Lack of Standing

As we previously reported, Plaintiff Jonathan Torres filed a putative class action against Wendy’s in the wake of a data breach that the fast-food company suffered earlier this year.  Wendy’s subsequently filed a motion to dismiss Torres’ complaint, which the U.S. District Court for the Middle District of Florida granted on July 15.

In its Order dismissing the Complaint, the Florida federal court focused its analysis on “when, exactly, the loss or theft of an individual’s data becomes a concrete injury for purposes of establishing standing.”  As a result of the data breach, Torres allegedly experienced two fraudulent charges on his debit card, which he did not contend went unreimbursed.  Wendy’s thus argued that Torres suffered no out-of-pocket losses.  Torres, on the other hand, argued that his injuries amount to actual identity theft, which he contended was sufficient to confer standing.

The Court recognized that the Eleventh Circuit has not yet directly addressed the extent of injury that a purported data breach victim must allege to survive a motion to dismiss.  The Court ultimately held that because Torres did not allege any monetary harm stemming from the two fraudulent charges, he failed to allege actual harm sufficient to establish injury-in-fact.

Additionally, the Court addressed Torres’ claim that he has standing based on the imminent threat of future harm flowing from potential fraud and identity theft.  Wendy’s countered that speculative future harm cannot confer standing on a plaintiff.  The Court agreed with Wendy’s, holding that “Plaintiff’s alleged harm is highly speculative based on the facts and the asserted injuries do not appear ‘certainly impending.’”

The Court ultimately dismissed Torres’ complaint for lack of subject matter jurisdiction.  However, Torres was granted leave to file an Amended Class Action Complaint to cure the deficiencies identified in the Court’s Order, if possible.

Troutman Sanders will continue to monitor the developments in this case.

July 18, 2016   No Comments

Ransomware in Healthcare – A Clear and Present Danger

Ransomware has become a major threat to electronic records systems worldwide. The US government reported recently that there have been 4,000 daily ransomware attacks so far in 2016! This represents a 300% increase to the number of attacks that occurred in 2015. Hospitals and other healthcare organizations have become popular targets for ransomware attackers. Nearly one half of all U.S. hospitals reported at least one ransomware attack during the past year. The healthcare industry is especially vulnerable because ransomware attacks can block access to Electronic Medical Records (EMR) which can result in patient care services being disrupted. Hospitals and other healthcare providers are updating their Continuity of Operations Plans to address prolonged loss of the EMR and rapid implementation of back-up electronic or paper systems.

The rise in ransomware attacks in the healthcare industry has also led to many questions about HIPAA compliance before, during and after an attack. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) issued guidance on July 11, 2016, to address some of these questions. OCR is responsible for HIPAA enforcement and responding to complaints alleging HIPAA violations. The way in which OCR views the interaction of HIPAA and ransomware is relevant for every healthcare organization and every HIPAA business associate. Here are some key take-aways from the OCR guidance:

  1. A ransomware attack constitutes a “security incident” under the HIPAA Security Rule, and once the ransomware is detected, the covered entity or business associate must implement its security incident response and reporting procedures. The high incidence of ransomware attacks on healthcare providers means that every provider should be conducting exercises to test their security incident and response procedures using ransomware based scenarios.
  2. A ransomware attack will probably result in a reportable data breach as defined by HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act). The ransomware virus works by encrypting data within the EMR so that it cannot be accessed by users. The OCR guidance makes clear that when electronic Protected Health Information (ePHI) is encrypted as a result of a ransomware attack, a data breach has occurred. This is because the act of encryption means the ePHI was “acquired” by the attacker which is an unauthorized disclosure of the ePHI under HIPAA. Unless the covered entity or business associate can prove that there is a “low probability that the ePHI has been compromised” under the Breach Notification Rule, then the breach must be reported.
  3. Congress is calling for HHS to declare that every ransomware event is automatically a reportable breach, but the guidance does not go that far. The covered entity or business associate that is the victim of a ransomware attack can attempt to demonstrate that there is a low probability that ePHI has been compromised as a result of the attack so that no breach notification is required. The burden of proof is squarely on the covered entity or business associate to prove this. The documentation supporting this determination must be rock-solid, since it could be challenged later. The guidance requires the covered entity or business associate to act in good faith in making this determination and to retain the documentation supporting its determination.
  4. Even if the ePHI is encrypted within the EMR, the guidance makes clear that a ransomware attack might still be a reportable breach. There must be a fact-specific investigation about how the ePHI was being used at the moment of the ransomware attack in order to determine whether a reportable breach has occurred.

The threat of ransomware is not going away. New viruses are being developed and deployed every single day. Every healthcare organization must assume that it will be attacked by ransomware in the near future and prepare accordingly. This means updating your security incident response plan, educating employees about the ransomware threat, conducting realistic exercises simulating a ransomware attack to identify gaps in your organization’s response, and addressing those gaps quickly.

For additional information, please contact Troutman Sanders Partner and Healthcare Practice Leader, Steve Gravely, at steve.gravely@troutmansanders.com and Troutman Sanders Partner, Erin Whaley, at erin.whaley@troutmansanders.com.

July 14, 2016   No Comments

EU Member States Approve Privacy Shield

On July 8, European Union member states approved the Trans-Atlantic Privacy Shield data transfer deal, finally paving the way for the pact to be formally approved by EU and U.S. officials on July 12.

The Article 31 committee, which is made up of representatives of each EU member state, held their highly anticipated final vote on the Privacy Shield, which EU and U.S. officials revealed in February, to replace the longstanding safe harbor data transfer deal that was struck down last year by the European Court of Justice.

The Article 31 committee’s approval comes after many months of criticism from various EU bodies of the European Commission’s initial February proposal, including the European Parliament, the Article 29 Working Party, and the European Data Protection Supervisor.  The Article 29 Working Party in particular expressed concerns over the February proposal for its lack of a data retention principle and data processing purpose limitation, as well as issues of onward data transfer and EU individuals’ right of redress.

Commenting on the approval of the Privacy Shield, Andrus Ansip, Vice President for the Digital Single Market on the European Commission, and Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, said in a joint statement:

Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows.  This paves the way for the formal adoption of the legal texts and for getting the EU-U.S. Privacy Shield up and running.  The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business.  It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.  For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.  And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms.  During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament.  Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.  Today’s vote by the Member States is a strong sign of confidence.

We previously wrote here that the need for a new privacy shield came about in light of the Snowden revelations, when an Austrian privacy activist named Max Schrems brought suit against Facebook for its alleged transfer of personal data to the United States’ National Security Agency (NSA), as part of NSA’s PRISM program.  Schrems’ “Europe v. Facebook” group filed suit against Facebook in Ireland with the Irish Data Protection Commissioner.  On June 18, 2014, the suit before the Irish High Court was referred to the Court of Justice of the European Union (CJEU).  The central question of the referral was the legitimacy of the European Union’s granting of “Safe Harbor” status to the United States when it came to the transfer of personal information.

On September 23, 2015, the CJEU found that with respect to the powers of national supervisory authorities, the European Commission may adopt a decision that a third country ensures an adequate level of protection that is binding on all member states and their organs, including national supervisory authorities.  However, a European Commission determination, such as the Commission Decision 5000/250 that first found the Safe Harbor “adequate,” does not prevent a national supervisory authority from examining claims lodged by individuals concerning the processing of their personally identifiable information (PII).  In fact, “[w]hile the Advocate General (of the CJEU) acknowledges that the national supervisory authorities are legally bound by the Commission decision (on the Safe Harbor) … such a binding effect cannot require complaints to be rejected summarily.”  Thus, the CJEU found that the Safe Harbor program was inadequate insofar as it allowed for government interference with individual privacy rights, it failed to give individuals violated a means of redress, and it prevented national supervisory authorities from exercising their powers on behalf of their citizens.

Since then, companies have been eagerly anticipating a new privacy shield as the EU member states and the U.S. engaged in dialogue for months.  Today’s announcement marks a significant step towards reaching a final agreement.

Even with the expected approval by the EU and U.S. on July 12, there is very real risk that the Court of Justice may deem the new arrangement invalid as well. Max Schrems, the privacy activist, has already vowed to challenge the new Privacy Shield in EU courts. Therefore, the new Privacy Shield may be short lived once it is enacted.

July 8, 2016   No Comments