On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.
After three government agencies collectively created an online tool to help developers navigate federal regulations impacting mobile health apps, McDermott partner Jennifer Geetter was interviewed by FierceMobileHealthcare on the need for mobile health development tools.
On December 28, 2015, the Ministry of Industry and Information Technology of China released the newly revised Classification Catalogue of Telecommunications Services, which is due to take effect as of March 1st, 2016. This round of revision has long been awaited since its last amendment in 2003, and is expected to reflect the advancement and emergence of new technologies and business models in the telecommunication field as well as to help keep new telecommunication business models under the regulatory radar.
Read the full China Law Alert.
On April 1, 2015, the Office of the National Coordinator for Health Information Technology (ONC), which assists with the coordination of federal policy on data sharing objectives and standards, issued its Shared Nationwide Interoperability Roadmap and requested comments. The Roadmap seeks to lay out a framework for developing and implementing interoperable health information systems that will allow for the freer flow of health-related data by and among providers and patients. The use of technology to capture and understand health-related information and the strategic sharing of information between health industry stakeholders and its use is widely recognized as critical to support patient engagement, improve quality outcomes and lower health care costs.
On April 3, 2015, the Federal Trade Commission issued coordinated comments from its Office of Policy Planning, Bureau of Competition, Bureau of Consumer Protection and Bureau of Economics. The FTC has a broad, dual mission to protect consumers and promote competition, in part, by preventing business practices that are anticompetitive or deceptive or unfair to consumers. This includes business practices that relate to consumer privacy and data security. Notably, the FTC’s comments on the Roadmap draw from both its pro-competitive experience and its privacy and security protection perspective, and therefore offer insights into the FTC’s assessment of interoperability from a variety of consumer protection vantage points.
The FTC agreed that ONC’s Roadmap has the potential to benefit both patients and providers by “facilitating innovation and fostering competition in health IT and health care services markets” – lowering health care costs, improving population health management and empowering consumers through easier access to their personal information. The concepts advanced in the Roadmap, however, if not carefully implemented, can also have a negative effect on competition for health care technology services. The FTC comments are intended to guide ONC’s implementation with respect to: (1) creating a business and regulatory environment that encourages interoperability, (2) shared governance mechanisms that enable interoperability, and (3) advancing technical standards.
Taking each of these aspects in turn, creating a business and regulatory environment that encourages interoperability is important because, if left unattended, the marketplace may be resistant to interoperability. For example, health care providers may resist interoperability because it would make switching providers easier and IT vendors may see interoperability as a threat to customer-allegiance. The FTC suggests that the federal government, as a major payer, work to align economic incentives to create greater demand among providers for interoperability.
With respect to shared governance mechanisms, the FTC notes that coordinated efforts among competitors may have the effect of suppressing competition. The FTC identifies several examples of anticompetitive conduct in standard setting efforts for ONC’s consideration as it considers how to implement the Roadmap.
Finally, in advancing core technical standards, the FTC advised ONC to consider how standardization could affect competition by (1) limiting competition between technologies, (2) facilitating customer lock-in, (3) reducing competition between standards, and (4) impacting the method for selecting standards.
As part of its mission to protect consumers, the FTC focuses its privacy and security oversight of health- related information on companies and data sharing arrangements that sit outside the jurisdiction of the Health Insurance Portability and Accountability Act (HIPAA), which regulates the privacy and security practices of covered entity health care providers, health plans and health care clearinghouses, as well as the third parties that assist those covered entities, referred to as business associates. Information regulated by HIPAA, called Protected Health Information (PHI) typically resides in the “traditional medical model” of providers and health plans. Information regulated by the FTC, often called consumer-generated health information (CHI) tends to be generated outside of the traditional medical model, for example through the explosion of wearables and other digital, consumer-facing technologies.
As interoperability gathers steam, and as providers and plans increasingly look to mobile and digital health tools to maximize patient engagement and obtain additional “out of the exam room” data that they can leverage to improve patient outcomes and control costs, the divide between PHI and CHI collapses. Not only will interoperability have to contend with PHI-centered systems effectively sharing information with one another, but it will also have to contend with the need for systems to move PHI and CHI, consistent with the different consumer expectations and regulatory frameworks for such information. And then, of course, there is also state law.
The FTC’s comments highlight the central role that the FTC will play, alongside the Office of Civil Rights, which enforces HIPAA, in envisioning, deploying and overseeing the health information sharing systems beginning to emerge.
On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherence weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.
Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.
As a result, every company should consider taking the following immediate action:
- Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);
- If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;
- Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;
- If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and
- Ensure proper testing prior to rollout of any new protocol.
Additional resources and materials:
On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.
The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.
The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.
It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.
The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.
In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.
This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.
For those Of Digital Interest readers attending the Brand Activation Association’s (BAA) 36th Annual Marketing Law Conference, please join McDermott partner – and Of Digital Interest editor – Julia Jacobson as she moderates a panel titled “New and Unexpected: Developments in Mobile Marketing – Mobile Tracking, Apps and Mobile Payments.” She will be joined by Ira Schlussel of HelloWorld, Inc., Paul Twarog of Google Inc. and co-moderator Terese Arenth. The panel session starts at 3:20 pm on Thursday, November 6. We hope to see you there.
Changes Impacting Businesses that Process Personal Data in Russia
On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.” The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia. At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market. This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres. Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015. The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals. If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.
Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad. However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question. There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad. If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.
The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws. Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia. However, the DPA can initiate the procedure to block access only if there is a respective court judgment. Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements. For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting provider must restrict the owner’s access to the information that is processed with the infringements. In case of the owner’s refusal or inaction, the hosting provider is obliged to restrict the access to the respective information resource altogether. If the foregoing steps are not performed by the hosting provider in due course, the DPA may request that the communication service provider restrict access to the respective information resource altogether, in particular to web address, domain name and references to the web pages in the internet.
Changes Impacting Businesses that Process Internet Communications
In addition to the new Database Law, a new Federal Law № 97-FZ dated May 5, 2014 (Moderator Law) amends an existing Federal Law “On information, information technologies and information protection” to create new obligations for organizers of information distribution in the internet (moderators). The term “moderator” is defined as those maintaining information systems or software designed or used to receive, transfer, deliver or process electronic messages on the internet. The relevant Russian regulator has clarified unofficially that the Moderator Law is addressed only to instant messaging, blogging, social media and e-mails (see clarification at http://rkn.gov.ru/press/publications/news26545.htm). However, the broad and ambiguous definition makes it possible to apply the Moderator Law to every website that has a chat or comment feature, or that is capable of sending or receiving messages from users. The definition as it is might also apply to e-commerce, services of cloud storage, and more.
The amendments impose several new obligations on moderators, some of which give sweeping new rights of access to the Russian Government:
- All moderators must file notification to the state authorities upon commencing moderating activity (meaning, upon maintaining information systems or software designed or used to receive, transfer, deliver or process electronic messages on the internet). The entity shall file notification upon respective request of competent state authority or at its own initiative. The entity then will be qualified as moderator after its inclusion into special Register of moderators. The particular procedure of notification is specified in the Governmental Regulation №746 dated July 31, 2014 which became effective August 12, 2014.
- All moderators are obliged to store (in the territory of Russia for not less than six months) information on the facts of reception, transfer, delivery, processing of electronic messages of users and the data of such users. The types of information to be stored are determined in recently published in Governmental Regulation № 759 dated July 31, 2014 which became effective August 14, 2014. The Regulation also specifies categories of the users whose electronic messages and data should be stored. Moderators also are under obligation to transfer such information to competent state authorities upon their request. The requested information should be provided by the moderator within the specified term which is under general rule 30 days. However, there might be urgent requests which imply requirement to provide information within three days.
- The moderators are obliged to comply with requirements for technical equipment as well as software and hardware tools established by the state authorities responsible to ensure security (for example, Federal Security Service), as well as those conducting criminal investigation in order to let them perform their functions. For example, if the state authority cannot decrypt requested information on the moderator’s information systems, the moderator must assist authorities by taking required steps to grant access to the information it needs. The detailed procedure on liaising of moderators with state authorities on technical requirements is specified in the Governmental Regulations №743 dated July 31, 2014, which became effective August 12, 2014.
Note, however that the outlined obligations are not applicable to operators of state (municipal) information systems, communications operators (i.e., legal entities rendering communications services under the respective license) as well as to the individuals acting as moderators for private (personal) purposes.
If a moderator fails to comply with the Moderator Law or its implementing Regulations, the competent state authority is entitled to restrict access to the informational resources of the moderator by following statutory specified procedure set forth in the Governmental Regulation №745 dated July 31, 2014, which became effective August 12, 2014.
The violation of the Moderator Law and its implementing Regulations exposes the company and its officers to the following potential fines:
- Failure to file required notifications can result a company fine from 100,000 to 300,000 RUR ($2,695.84 up to $8,087.52 USD) and a fine for company officers ranging from 10,000 to 30,000 RUR ($269.58 to $808.75 USD);
- Failure to store information or ensure access by authorities can result in a company fine ranging from 300,000 to 500,000 RUR ($8,087.52 up to $13,479.20 USD) , and a fine for or company officers – from 30,000 to 50,000 RUR ($808.75 up to $1,347.92 USD); and
- Failure to comply with technical requirements can result in a company fine ranging from 300,000 to 500,000 RUR ($8,087.52 up to $13,479.20 USD) and a fine for company officers ranging from 30,000 to 50,000 RUR ($808.75 up to $1,347.92 USD).
Guest author, Maria Ostashenko is Of Counsel at ALRUD Law Firm based in Moscow, Russia. Ms. Ostashenko and the ALRUD Firm are part of McDermott’s worldwide network of local privacy counsel who enable us to deliver seamless advice to multinational clients with the speed, efficiency and quality that our clients have come to expect from our team.
Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.