This week, the Federal Communications Commission announced a broad consumer privacy enforcement action against over 600 telecommunications carriers. The Commission issued notices of liability against carriers that failed to certify compliance with regulations governing the protection of Consumer Proprietary Network Information (“CPNI”) and carriers that filed inadequate certifications. The Commission proposed fines of $20,000 against carriers that failed to file the required certification and up to $10,000 against carriers whose certifications were non-compliant.
On February 11, 2009, the EU Article 29 Data Protection Working Party released its long-awaited Working Document (the “Working Document”) on reconciling U.S. civil discovery requirements with European data protection law. The guidelines the Working Document offers for data controllers highlight the challenges that multinational businesses face to comply with competing legal obligations in civil litigation.
CVS Pharmacy (“CVS”), reportedly the largest retail pharmacy chain, has agreed to pay the Department of Health and Human Services (“HHS”) $2.25 million and submit a Corrective Action Plan (“CAP”) to HHS after an extensive nationwide investigation by the HHS Office of Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) which revealed that CVS employees disposed of protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule. In addition, CVS Caremark, the parent company of CVS, simultaneously entered into a Consent Order with the FTC to resolve claims that CVS had engaged in unfair or deceptive trade practices in violation of the FTC Act by failing to use reasonable and appropriate measures to prevent unauthorized access to PHI and by disseminating a false or misleading privacy notice about CVS’s protection of PHI. In the Consent Order, the FTC specifically highlighted CVS’s failure to render PHI unreadable before disposal as well as its claim in its privacy notice that maintaining the privacy of its customers’ PHI was central to its operations as examples of unfair or deceptive trade practices. The CVS settlement is noteworthy for two reasons: (1) it is the first joint enforcement action between OCR and the FTC and (2) although it is the second substantial monetary settlement for alleged HIPAA violations, the $2.25 million resolution amount dwarfs the first settlement for $100,000 between HHS and Providence Health in July 2008.
On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of its information security regulations and extended the compliance deadline from May 1, 2009 to January 1, 2010. This is the second time Massachusetts has extended the deadline; previously, the deadline was changed to May 1, 2009 in consideration of the economic climate.
The Criminal Court of Milan has suspended proceedings against four Google executives to allow time to address relevant procedural considerations. The proceedings mark the culmination of a two-year investigation conducted by Italian authorities. The investigation focused on video footage made available on Google Video that depicted a disabled boy being taunted by his fellow classmates. As result of the video footage, Google executives face charges of defamation and privacy infringement.
For purposes of the criminal proceedings, Google is considered an internet content provider. Under the Italian penal code, internet content providers are distinct from internet service providers and bear responsibility for the content they make available online. As such, the Italian Prosecutor in the Google case has argued that companies are responsible for all content on their site. These charges raise questions about potential criminal liability for other online companies that allow user-generated content, such as providers of social networking sites.
The Criminal Court proceedings are expected to begin in Milan on February 18, 2009.
As part of its ongoing efforts to examine evolving internet marketing practices, earlier today the Federal Trade Commission released a report on self-regulation of online behavioral advertising. This report analyzes the comments received from interested parties in response to proposed self-regulatory principles issued by the Commission in December 2007. It covers a wide range of issues including the increasingly blurred line between personally identifiable information and non-personally identifiable information and the applicability of regulations to "first party" versus contextual advertising.
Links to the report and the concurring statements of Commissioners Harbour and Leibowitz, as well as FTC Congressional testimony on behavioral advertising, can be found here.
The New Jersey Division of Consumer Affairs has published a pre-proposal of rules relating to the protection of personal information (“PPR”) and is accepting comments on the PPR until February 13, 2009, after which it will formally propose rules. The PPR comes nearly a year after the state withdrew earlier proposed rules (the “Original Proposal”) that drew fire from the business community for the burdens they would have imposed. Among other obligations, the PPR would (i) require implementation of a comprehensive written security program; (ii) impose security breach response requirements (including new breach-notification procedures); and (iii) alter existing record disposal obligations.
In SACEM v. Cyrille Saminadin (Cour de Cassation, chambre criminelle, 13 janvier 2009), the SACEM (a representative body of authors, composers, and music editors) asked one of its agents to carry out an investigation and to collect evidence of copyright infringements on a peer-to-peer network. After selecting a peer-to-peer network, the agent manually typed in the title of a song belonging to one of the rights holders and searched for all available files corresponding to this title. The agent then randomly selected one of these files and saved all the information relating to it (IP address, country of origin, name of the internet service provider, etc.) onto a CD-ROM as evidence for use in filing a complaint. The question raised in this case was whether such activity constitutes data processing requiring the prior authorization of the French Data Protection Authority (CNIL).
On February 4, 2009 the Trilateral Committee on Transborder Data Flows met in Mexico City. The committee is comprised of representatives from the Canadian, Mexican and U.S. governments and is part of the Security and Prosperity Partnership of North America. The Trilateral Committee invited representatives from the private sector to give testimony on current and potential impediments to the free flow of personal data in North America.
On December 2, 2008, the European Court of Human Rights (ECHR) ruled in K.U. v. Finland that Article 8 of the European Convention on Human Rights requires national laws to protect individuals from serious online privacy infringements, but also that the national legal framework must allow for the identification and prosecution of offenders. This case involved an advertisement of a sexual nature, which was placed on an Internet dating site on behalf of the applicant, who was twelve years old at the time, without his knowledge.