LITIGATION SUPPORT TIP OF THE NIGHT

This month, in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, the Court of Justice of the European Union invalidated a 2016 decision on the adequacy of the EU-US Data Protection Shield. See the judgment posted here.

The ruling means that companies transferring data to the United States may be fined under the GDPR, since American measures to protect the privacy of personal data are inadequate.

In 2015, the Court had ruled that the United States did not provide an adequate level of protection for the personal data of Maximillian Schrems. Facebook transferred Schrems' data to servers located in the United States. Schrems re-filed his complaint, and sought to suspend future transfers of his personal data by Facebook Ireland to the United States. These are the key points of its July 2020 decision:

1. Data processing by a third country for national defense and public safety falls within the scope of the GDPR.

2. Personal data transferred to a third country must be subject to the same level of protection guaranteed in the EU under the GDPR.

3. Assessments of the level of protection should take into account the contract entered into by the EU data exporter and access to the data by the public authorities of the third country.

4. Supervisory authorities must prohibit the transfer of personal data to a third country where the standard data protection clauses cannot be complied with, and the personal data cannot be protected by other means.

5. The Court did not invalidate its prior decision, 2010/87, that requires a data exporter and the data recipient to verify that the level of protection is adequate prior to the transfer and to terminate a contract if the protection is found to be inadequate.

6. "The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary."

7. In reaching its conclusion, the Court stressed the importance of the fact that data subject would not have a cause of action before a court that could provide the level of protection required by EU law by issuing a decision binding on United States intelligence services.

This week Relativity announced that it is now HIPAA compliant. The Department of Health and Human Services is responsible for enforcing the standards of the Healthcare Insurance Portability and Accountability Act. On its web site, HHS provides guidance how the providers of cloud computing services can make sure that protected health information (PHI) it hosts is secure.

The HHS confirms that PHI can be stored in a cloud service but requires that a HIPAA compliant contract be entered into. A service level agreement is needed to address back-up data policies; data retention; and system availability. A cloud service provider that hosts PHI without an executed 'business associate agreement' is in violation of the HIPAA rules.

Even if a cloud service provider hosts encrypted PHI for which it does not have a decryption key, it is still responsible for complying with HIPAA regulations.

A CSP will not be considered as a conduit, like the post office, for the purposes of HIPAA compliance.

The HHS does not certify cloud service providers.

The HIPAA Security Rule with respect to security incidents does not require that reports include specific detail or be made with a particular frequency.

Healthcare providers can use mobile devices to access PHI stored in the cloud.

Upon the termination of a business associate agreement, PHI must be returned or destroyed. If this is not possible security protections must be extended.

PHI can be stored on servers outside of the United States.

HIPAA does not require CSPs to allow customers to audit their security practices.

HIPAA privacy and security rules do not apply to de-identified data.

California law requires businesses and states agencies to notify individuals when their unencrypted data was in fact acquired by an unauthorized person, or if it is reasonable to believe that such a person has accessed the data. See, California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a). A breach involving the data of more than 500 California residents must be reported to the state attorney general. See the online form available here. The form itself should not include PII. The form is not covered by the provisions of the California Public Records Act which requires that law enforcement agencies disclose information if it would not jeopardize ongoing investigations.

The owner of the data must receive immediate notification of the breach. The actual, "Notice of Data Breach,” must be comprised of five sections:

1. What Happened

2. What Information Was Involved

3. What We Are Doing

4. What You Can Do

5. For More Information.

The statute itself includes a model form for businesses to use.

Businesses are required to indicate the estimated date of the breach if it is possible to reach a determination about when the breach occurred. If the business caused the breach it must offer theft prevention and mitigation services for 12 months. Personal information is defined as a person's name when used with any of the following:

1. Social security number

2. Driver's license number

3. Account number

4. Medical information

5. Health insurance information

6. Automated license plate recognition system information.