GDPR Archives - EMPLOYEE BENEFITS BLOG

Health Data in the EU and UK: Regulatory Trends and Developments

by Sharon Lamb, Deniz Tschammler, Daniel F. Gottlieb, Lorraine Maisnier-Boché and Pilar Arzuaga | Apr 25, 2023 | Digital Health, Employee Benefits, Health and Welfare Plans

With the General Data Protection Regulation (GDPR) resulting in a rise in enforcement incidents, it is prudent for organizations operating in the health and life sciences industries across the United Kingdom, European Union (EU) and other European Economic Area (EEA) nations to assess their responsibilities regarding the gathering and handling of health data.

Major Points:

“Data concerning health” is a wide term; it doesn’t just apply to medical records. Policies and processing records should accurately capture all health data, including inference data.
Most EEA countries, and the United Kingdom, have national laws that supplement GDPR.
Consent is not the only legal basis for collecting, storing and using health data; there are other options available, but be aware that “insufficient legal basis for data processing” is a common type of GDPR violation.
If used, health data consents must be granular, specific and transparent, and they must break down all the purposes for which the data is being processed. Consent must be granted on an “opt-in” basis and not as a result of a pre-filled tick box.
Health data may be reused for genuine scientific research purposes provided the processing is compatible with the original use, appropriate safeguards are in place and any separate national law conditions are satisfied.
Privacy policies and transparency notices must be clear about the basis on which health data is processed.
Proceed carefully and consider reidentification risk when relying on anonymisation to process data; document any reidentification risk assessment and periodically review risk assessment in light of developments in publicly available data and evolving risk environment. Technical measures, such as evolving encryption standards, should be reviewed periodically.

VIDEO: Transfers of Health Data from the European Union to the United States in a Post-Schrems II World

by Amy C. Pimentel and Romain Perray | May 27, 2021 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

In this video, McDermott Will & Emery partner Amy C. Pimentel explains the significance of health data transfers from the European Union to the United States in a post-Schrems II world. The recent Schrems II ruling invalidated the EU-US Privacy Shield, holding that the US legal regime on access to personal data does not contain adequate limitations and safeguards. Pimentel and McDermott’s Romain Perray recently also wrote for McDermott’s International News about this topic.

Access the article.

Passage of California Privacy Act Could Spur Similar New Regulations in Other States

by Laura Jehl | Dec 21, 2020 | Employee Benefits, Employment, Labor, Privacy and Data Security

On November 3, California citizens approved the California Privacy Rights and Enforcement Act (the CPRA), a comprehensive privacy law that amends another privacy law that went into effect in the state on January 1, the California Consumer Privacy Act (CCPA). The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

In a recent article in CSO, McDermott partner Laura Jehl discussed the impact of the CPRA on the future of privacy legislation in the United States.

Access the article.

The Rise of Facial Recognition Technology: Mapping the Legal Framework

by Ashley Winton | Mar 10, 2020 | Privacy and Data Security

In January 2020, the Supreme Court decided it would not hear the issue of whether Facebook broke the law in Illinois when it instituted a photo-tagging feature that honed in on users’ faces and tagged them without their consent, and Facebook has now settled with the users for $550 million. The Illinois law is part of a patchwork of laws applicable to facial recognition technology (FRT).

McDermott’s Ashley Winton contributes to the second installment of a three-part article series on FRT. This article examines the applicable legal framework and regulatory guidance, including intellectual property rights, general privacy legislation, specific state biometric data laws and more.

Access the full article.

Originally published on Cybersecurity Law Report, February 2020

2018 Digital Health Data Developments – Navigating Change in 2019

by McDermott Will & Emery | Feb 14, 2019 | Privacy and Data Security

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

GDPR 6 Months After Implementation: Where are We Now?

by Amy C. Pimentel and Mark E. Schreiber | Nov 13, 2018 | Privacy and Data Security

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). (more…)

UK Employment Alert | What to Expect in UK Employment Law in 2018: GDPR, Brexit Negotiations and More

by Anthony A. Bongiorno, Katie Clark and Paul McGrath | Jan 11, 2018 | Employment, Privacy and Data Security

Whilst 2017 was anticipated to be a fairly static year for UK employment law, that did not in fact prove to be the case, and there were various notable developments. To a large degree, 2018 is likely to be defined by the ongoing Brexit negotiations and the passage of the EU Withdrawal Bill, which will, amongst other things, lay the framework for the future movement of EU workers to the United Kingdom. Employers should, however, be aware of some additional key developments on the horizon.

Key UK Employment Law Events in 2017 and Beyond

by Anthony A. Bongiorno, Katie Clark and Paul McGrath | Jan 19, 2017 | Benefit Controversies, Employee Benefits, Employment, Executive Compensation, Labor, Privacy and Data Security

Current indications are that 2017 may be a fairly static year as regards to employment law.

Whilst it is anticipated the government will trigger Article 50 to start Brexit negotiations, these are likely to last for at least two years, and existing employment laws are unlikely to feel any ripple effect from leaving the European Union for some time.

In the meantime, the Prime Minister has asked for a review, expected to take around six months, on whether current employment laws are adequate to protect the rights of the growing numbers of atypical workers. It is unlikely though that any resulting changes will come into effect in 2017.

There are, however, a number of key developments that employers will definitely need to get to grips with, or at least prepare for, in 2017.

Read the full article here.

*Cindy LaMontagne (Trainee) contributed to this article.

The Impact of the EU Data Protection Regulation

by Anthony A. Bongiorno, McDermott Will & Emery, Dr. Paul Melot de Beauregard and Maximilian Baur | Sep 15, 2016 | Privacy and Data Security

The EU General Data Protection Regulation 2016/679 (GDPR) was published in the Official Journal of the European Union on 4 May 2016 following the compromise agreed among the Council of the European Union and the European Parliament.

The GDPR will essentially affect any business coming into contact with European personal data.

Read the full article here to learn of the impact and next steps.

Brexit Update: The Effect of Brexit on Data Transfers between the United Kingdom and the European Union

by Dr. Claus Färber | Sep 1, 2016 | Privacy and Data Security

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data transfers, EU/EEA businesses that are currently retaining UK service providers or data centres to handle or store personal data, or are planning to do so, would have to carefully re-evaluate this decision.

Read the full article here.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS