For more information, please contact Heather Egan Sussman, Daniel F. Gottlieb or Rohan Massey.
Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This Special Report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2012 around the globe, as well as a prediction of what is to come in 2013.
To read the full article, click here.
by Amy M. Gordon, Susan M. Nash and Jamie A. Weyeneth
The Health Insurance Portability and Accountability Act omnibus regulations recently released by the U.S. Department of Health and Human Services have significant ramifications for business associates and subcontractors of business associates.
To read the full article, click here.
by Volker Teigelkötter and Bettina Holzberger
In 2009, the German public was shaken by several scandals that revealed a number of international companies systematically, continuously and comprehensively monitored their employees’ personal data. This included spying on employees’ private bank accounts and secretly observing employees in their offices via hidden video surveillance.
Even though the general Federal Data Protection Act (the BDSG) was effective at the time, the German Government came to the welcome conclusion that it was necessary to implement a data protection act dedicated to the particularly sensitive relationship between employers and employees, with the primary objective of protecting employees and their right to privacy.
To read the full article, click here.
by Jennifer S. Geetter, Amy M. Gordon, Daniel F. Gottlieb and Amy Hooper Kearbey
Office of Civil Rights has released additional guidance addressing the de-identification of protected health information in accordance with the HIPAA Privacy Rule. Covered entities should review their current de-identification methods and make any necessary changes to comply with the new guidance.
To read the full article, click here.
The Italian Data Protection Authority (DPA) has published a guide on cloud computing, "How to Protect Your Data Without Falling From a Cloud," which contains useful recommendations on how to select and appoint cloud providers and vendors of data management and storage services. This is the first official guidance issued by the Italian DPA in response to the fast growing use of cloud services in Italy and it might be of particular interest to employers who outsource their data systems to cloud service providers. The guide offers an overview of the potential issues linked to the various types of cloud services, whether they are managed on public, private or hybrid clouds. Under Italian law, cloud providers are appointed as a data processors while employers act as data controllers and will be liable for any wrongdoing committed by the data processors. Employers are therefore well advised to negotiate appropriate terms for the management of the "cloud-based" data and make sure that adequate technical and organizational measures are in place in order to avoid possible loss or unauthorized disclosure.
Click here to read the full guide on the Italian DPA website.
by Rohan Massey and Heather Egan Sussman
All multinational companies are constantly transferring data relating to identified or identifiable human beings (data subjects). Data is moved between different parts of the same business and to and from suppliers, customers and other third parties. When such data moves between countries, the laws of multiple countries may become relevant, potentially including a multinational business within their jurisdiction when that multinational acts as a data controller determining the purposes, conditions and means of processing involved. This also renders the business vulnerable to potential penalties for breaches of the law. One way to manage the ongoing problems of moving data across the world is to introduce Binding Corporate Rules (BCRs) to govern global data transfer.
To read the full article, click here.
Alison Wetherfield, former partner, also contributed to this article.
In the quickly changing regulatory environment of digital privacy, an organization’s data privacy stakeholders need to understand the latest legal developments and risks their organizations face—or will face—globally.
McDermott Will & Emery is pleased to offer this complimentary three-part webcast series for professionals with data privacy responsibilities that will take a look at the legal developments in 2012 and provide a sneak peek at what new regulations may come in 2013.
Save the Date
Part I. U.S. Office for Civil Rights Finalizes Amendments to HIPAA Regulations to Implement HITECH Act
Following the issuance of regulations
Part II. Hot Topics in Workplace Privacy around the Globe
September 20, 2012
Part III. Data Privacy Year in Review
December 6, 2012
Further information on each webcast is forthcoming.
For more information, please contact McDermott Events.
by Jennifer S. Geetter, Heather Egan Sussman and Carla A. R. Hine
We recently released a Hot Topic that details the Federal Trade Commission’s (FTC) settlement with Spokeo, Inc. Spokeo collected information about individuals from online and offline sources to create profiles that included contact information, marital status, age range and in some cases included a person’s hobbies, ethnicity, religion, participation on social networking sites and photos that Spokeo attributed to a particular individual. Spokeo marketed these profiles to companies in the human resources, background screening and recruiting industries as information to serve as a factor in deciding whether to interview or hire a job candidate. The FTC concluded that Spokeo acted as a consumer reporting agency and thus violated the Fair Credit Reporting Act (FCRA) by: (1) failing to ensure the consumer reports it sold were used for legally permissible purposes; (2) failing to ensure that the information it sold was accurate; and (3) by failing to inform users of Spokeo’s consumer reports of their obligations under the FCRA. Spokeo agreed to pay $800,000, and comply with the FCRA going forward, among other things.
There is an important message for employers in this settlement: If you receive profile information from data brokers and use that information in making employment decisions, the FCRA applies. And while this enforcement action focused on the data broker, the FTC could turn next to offending employers. The FTC has published guidance on how to avoid an enforcement action in these circumstances and comply with the FCRA at: Using Consumer Reports: What Employers Need to Know Employers should also check on the local state laws that may apply, because some states restrict the use of such reports for employment purposes.
by Heather Egan Sussman, Linda Doyle and Sabrina Dunlap
On Wednesday, January 25, 2012, National Labor Relations Board (NLRB) acting General Counsel Lafe Solomon released a second report describing social media cases reviewed by his office. The report (Operations Management Memo) addresses 14 cases related to social media and employer social media policies.
Many of the cases reviewed involved employees who had been discharged after they posted comments on Facebook. The general counsel found that a number of the terminations were improper because employees had engaged in protected activity and their terminations arose from unlawful employer policies. However, the general counsel upheld several terminations – despite overly broad employer policies – where the employees involved were not engaged in protected activity and had merely posted general complaints or individual gripes unrelated to working conditions or wages.
The report emphasizes two key points made in an earlier report in August 2011: 1) Employer policies should not be so broad that they prohibit activity protected by federal labor law, such as the discussion of wages or working conditions; and 2) an employee’s comments on social media sites will generally not be protected if they are simply complaints unrelated to working conditions or wages that impact a group of employees.
There are three cases involving social media questions currently pending before the NLRB and those decisions will likely give further guidance on acceptable employer social media policies.
In addition, McDermott partner Heather Egan Sussman will be speaking with Lafe Solomon, and Edward Loughlin (EEOC) on this topic at the International Association of Privacy Professionals (IAPP) Global Privacy Summit, Wednesday, March 7, 2012.
by Heather Egan Sussman and Alison Wetherfield
Companies listed on U.S. stock exchanges are required under the Sarbanes-Oxley Act to establish a system for employees to internally report concerns over questionable auditing or accounting matters. These systems are often referred to as “whistleblowing hotlines”. When setting up hotlines around the globe, however, employers must be mindful of the European Union (EU) privacy regime. Previously, some EU regulatory authorities intimated that such hotlines could never be acceptable in their jurisdictions. Public company employers were left, therefore, with the unfortunate choice of foregoing the hotline and potentially violating Sarbanes-Oxley, or implementing the hotline and potentially violating EU privacy laws.
Over the past few years, however, a framework has developed, at both the EU level and among the member states, that provides guidance on how employers may lawfully implement such a hotline throughout most of the European continent. McDermott just released an article outlining a checklist of basic principles for public company employers to follow so they can stay within this framework. As explained in more detail in the article found here, these principles include:
1. Encourage “confidential” rather than “anonymous” reporting
2. Set up a filtration system
3. Ensure confidentiality and data security
4. Limit the nature and scope of the processed data
5. Ensure compliant transfers of data outside of the EEA
6. Retain and destroy data according to local requirements
7. Give employees the right of correction
8. Inform employees about the program
9. Follow authorization procedures
By observing these basic principles when setting up a whistleblowing hotline in the EU, and by following the other best practices detailed in the full article, public companies can best position themselves to mitigate the risk of an enforcement action on both sides of the pond.
Subscribe
