Reed Smith LLP

Reed Smith Client Alerts

Privacy Update

Subscribe
Home Perspectives Privacy Update

The Effect of EU Privacy Law on US Businesses –
Views of a UK Lawyer

The result of the adoption by the EU of the Data Protection Directive (95/46/EC) is that businesses based in the US which trade with businesses in Europe are affected by its provisions. Unfortunately for US businesses, co-operation with the Directive is not optional, as a failure to do so could seriously curtail US/EU trading relationships.

Historically, Europe has adopted a fairly strict legislative approach to data protection (in contrast to the US). The essence of the EU Directive is to provide a framework for businesses which defines and limits the use(s) which businesses may make of personal data which they collect. In the UK, the Directive has effect as the Data Protection Act 1998 (the "Act"). ‘Personal data’ is information which identifies an individual, e.g., name, address, email address etc. In practical terms, the Directive imposes a culture of openness on businesses regarding their use of data—they generally need to obtain the consent of an individual to use the individual’s data.

Difficulty arises in relation to the eighth principle of the Act. This prohibits businesses located in the EEA (European Economic Area) from transferring personal data to countries which do not afford ‘adequate protection’ to data. (The EEA consists of the member states of the EU as well as Norway, Liechtenstein and Iceland). Unfortunately, most countries outside the EEA (including the US) are not deemed to afford adequate protection to data.

The possible consequences of the eighth principle are serious and could cause major disruption to international trade. For example, a UK-branch of a US company would be in breach of the eighth principle if it sent an email containing UK employee names to the US-based head office. Similarly, the mere accessing by the US company of the UK branch’s database would be deemed to be a transfer of data if personal data were viewed.

UK businesses which do not comply with the eighth principle face significant penalties which, at their most severe, could lead to them being prohibited from using personal data. Ultimately, this would prevent a business from operating.

Safe Harbor

If the above seems bleak, then the good news is that steps can be taken by US businesses in order to overcome the eighth principle difficulty. In recognition of the seriousness of the issue, the European Commission and the Federal Trade Commission (FTC) were involved in intense negotiations during 2000 in an attempt to reach agreement on an acceptable means of data transfer.

The solution formulated by them is the ‘Safe Harbor’ arrangement. This is a voluntary arrangement and involves the ‘signing up’ by companies in the US to adherence to a set of data-protection principles similar to those which apply in the EU. Companies can do this in a number of ways—they can, for example, develop their own policy which meets those standards or they can comply with existing US sector regulation which achieves equivalent standards.

Once the US company has implemented the necessary standards, it must self-certify its compliance to the US Department of Commerce. Self-certified companies will be listed by the Department of Commerce on its website at www.exports.gov/safeharbor. In order to ensure compliance with the Safe Harbor principles, organizations must put in place a dispute resolution system to investigate individual complaints. Generally, the statutory overseer will be the FTC which will be able to take action against offending companies for unfair trade practices under the Federal Trade Commission Act.

As companies which are in the Safe Harbor will be deemed to offer adequate protection to personal data, UK businesses will be able to freely transfer data to them.

Any Other Options?

If, for whatever reason, you prefer not to sign up to the Safe Harbor, you can adopt alternative approaches.

1. Consent

The Act does allow the transfer of personal data outside the EEA if the individuals who are the subject of that data consent to the transfer. Your UK partners would have to obtain that consent. Note, however, that in order to be valid, consent requires some form of positive response from the individuals concerned (e.g., the return of a document such as a registration form or memo by each individual stating his or her agreement to data being transferred).

There are difficulties with this approach, however. Obtaining consent from each individual whose data is collected may be both onerous and, in reality, an impossibility, i.e., a customer cannot be compelled to return a form. In addition, there is always the possibility of an individual refusing to grant consent.

2. Check your adequacy

Alternatively, UK companies can opt to carry out an ‘adequacy test’ in relation to the adequacy of the protection your company would give to data transferred. To date, the Information Commissioner (who enforces the Act) has suggested that carrying out an adequacy test may be an arduous task for the company performing the test. Reliance on an adequacy finding also carries with it an element of uncertainty as the Information Commissioner might well have a different view if that adequacy were ever called into question.

3. Contract

Arguably the best alternative to Safe Harbor is to enter into a contract with your UK partners who wish to transfer personal data to you. The contract should require you to comply with all the requirements of the Act in relation to the personal data you receive. While this may appear to be an onerous obligation, it is unlikely to be more so than signing up to the Safe Harbor. The bottom line is that a UK company cannot transfer data to you unless your company affords that data adequate protection.

4. Exceptions Under the Act

The Act also provides that data can be transferred outside the EEA in the following circumstances:

  • where the transfer is necessary for the performance of a contract between the individual and the company processing the data;
  • where the transfer is necessary for the performance or conclusion of a contract between the company and a third party which is in the interests of the individual; and
  • where the transfer is necessary for the purpose of or in connection with legal proceedings.

Caution should be exercised in relying on the first two items in particular. There is a view that a ‘necessary’ transfer will be narrowly interpreted—i.e., only transfers which are absolutely necessary would benefit from this exception. Unless you believe that all the transfers of data from the UK are necessary, alternate options should be considered.

Is Safe Harbor Available To Every Industry Sector?

Unfortunately, no. Financial institutions and the telecommunications sector have been excluded. Therefore, US companies active in those sectors will need to consider implementing data transfer solutions other than the Safe Harbor option.

Steps To Take

Although the Act has been in force for some time, for companies based in the UK the eighth principle does not have effect until 24 October 2001. However, with that date fast approaching, US companies who do business with companies in the UK need to do the following;

  • establish whether your UK trading partners transfer data to you (they probably do);
  • consider whether you wish to sign up to the Safe Harbor arrangement;
  • if you do not wish to sign up to the Safe Harbor and you have affiliates worldwide, consider implementing a group-wide data protection policy which meets European standards. This will mean that data transferred to you from the UK will be adequately protected;
  • if you do not wish to sign up to the Safe Harbor and you have UK trading partners who are not group companies, initiate discussions with each of them to agree on a solution to this difficulty. In many circumstances, the best approach will be to enter into a contract with those partners;
  • do not delay. Compliance needs to be up and running for the purposes of the Act by 24 October, 2001.

Finally, although US businesses may, understandably, resent the obligation to comply with EU legislation, remember that we are increasingly in an age when the public is aware of and interested in privacy issues. Therefore, an open and transparent approach to privacy issues can, in fact, be a valuable marketing tool which will build public confidence in a business. One only has to consider the damaging publicity which was attracted by Doubleclick and Toysmart.com recently, both of whom (and in different ways) fell afoul of privacy law standards. The reality surely is that companies who ignore privacy issues do so at their own peril.

HIPAA and You: What HIPAA Privacy Rules Mean to
Non-Healthcare Businesses

On December 22, 2000, the U.S. Department of Health and Human Services ("HHS") announced a broad array of final rules designed to protect the privacy of personal health information. The rules will impose significant obligations on a broad range of businesses that never before fell under the regulatory purview of HHS. As a consequence, affected businesses may be unaware of the obligations and risks created by the new rules.

What—Me Worry?

You may be thinking that your firm is not a health care business, will never be a health care business, and is less likely to face regulation by HHS than to expand operations to Antarctica. If so, you’d be wrong. Under rules relating to "business associates" of health care companies, the new rules are likely to impose substantial obligations on businesses that have even minimal interactions with health care businesses.

For example, your firm may provide computer consulting services to a wide range of businesses, including hospitals. By virtue of their access to the hospitals’ computer systems, your employees will have access to patient health records. In turn, this access implies that your firm can only provide such service to the hospital if it complies with HIPAA. (More precisely, the hospital would be prohibited from doing business with your firm, unless it first agreed to adopt specific safeguards related to the use of private health information.)

Likewise, financial institutions, law firms, accountants, and so on would be precluded from providing services to health care firms, unless they adopted safeguards for private information, which could prove onerous.

Background

The new privacy rules stem from a congressional mandate issued to HHS as part of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). In particular—and somewhat ironically—the new privacy rules arise under the "Administrative Simplification" requirements of HIPAA. Although HHS’ efforts to develop uniform standards for management of personal health information may simplify the administration of health care in the long run, in the short run those efforts appear to rest on torturously complex rules that will be extremely costly to implement.

An Overview Of The HIPAA Privacy Rules

In a nutshell, the new HIPAA privacy rules appear to rest on three principles related to personal or "protected" health information ("PHI"):

  • Patients have the right to access and track use of their PHI.
  • PHI may not be used without the patient’s consent.
  • Any use or disclosure of PHI must be limited to the "minimum necessary" to accomplish the legitimate purpose of such use.

To implement these principles, HHS has constructed rules of Byzantine complexity. The rules, for example, address:

  • What is the scope of a patient’s right to privacy?
  • The right to notice of privacy practices
  • The right to access of one’s own PHI
  • The right to correct or amend PHI
  • The right to an accounting of use or disclosure of PHI
  • The right to request special safeguards
  • Who must comply with the HHS Rules?
  • Covered entities (providers, health plans, clearing houses)
  • Business associates of covered entities
  • What constitutes consent?
  • (It depends on the circumstances.)
  • When is consent to use PHI not required? (various emergency, public health, and law enforcement purposes)
  • What are the penalties for non-compliance?
  • For "covered entities": Civil and criminal penalties up to $250,000 and 10 years imprisonment
  • For business associates: See below.

HIPAA And Business Associates

In HIPAA, Congress expressly authorized HHS to adopt standards to govern the management of health information by health plans, healthclearing houses, and providers—i.e., "covered entities." Perhaps to sidestep potential legal challenges, HHS did not assert authority directly to regulate other entities. Instead, HHS has asserted that the new rules governing the exchange of health information between covered entities and third parties are authorized under its power to "place restrictions on the flow of information from covered entities to non-covered entities."

In accordance with this reasoning, the new privacy rules do not directly regulate non-covered entities. Instead, the rules impose significant limits on the ability of covered entities to disclose PHI to third parties [i.e., business associates].

First, the restrictions otherwise applicable to a covered entity’s use of PHI would apply to its disclosures of such information to a business associate. Thus, disclosures could only be made to a business associate (1) if the individual consents to the use of such information for "treatment, payment, or healthcare operations;" (2) the consent includes a reference to an explanatory privacy notice; and (3) such disclosures are the minimum necessary to achieve their purpose. Second, the disclosure can be made only if the business associate provides "satisfactory assurances" that it will "appropriately safeguard the information." Further, such "assurances" must be provided in the form of written "business associate contracts" ("BAC") as discussed below.

In short, the new privacy rules only indirectly impose duties on business associates. Nonetheless, and as discussed below, those duties are likely to prove onerous.

To Whom Do The Business Associate Rules Apply?

The business associate rules generally apply to any person or entity who may be provided with PHI by a covered entity to perform services on behalf of the covered entity. The rules, for example, expressly cover persons who provide a covered entity with "legal, actuarial, accounting, consulting, data aggregation, management, accreditation or financial services…where the provision of services involves the disclosure of individually identifiable health information."

What Do The "Business Associate Rules" Require?

As noted above, the business associate rules provide that a covered entity may only share protected health information with a business associate if the covered entity and the business associate have first entered a BAC that:

  1. Specifies the scope of permitted uses and disclosures of PHI. In general, the contract may not, however, authorize any uses or disclosures that would violate the covered entity’s obligations under the privacy rule. (The contract may, however, allow the business associate to provide data aggregation services or use the information for its own lawful management and administrative operations.)
  2. Prohibits the business associate from using PHI for purposes beyond the scope of the agreement or as required by law.
  3. Requires the business associate to use "appropriate safeguards" to protect the PHI from improper disclosure and to report any unauthorized uses or disclosures to the covered entity.
  4. Requires the business associate to pass through its privacy obligations to any contractors or subcontractors.
  5. Requires the business associate to make available PHI to the individual to whom it relates.
  6. Requires the business associate to make available information that allows for an accounting of disclosures of an individual PHI for six years prior to the date on which the accounting is requested (except for disclosures required to carry out treatment, payment, and health care operations).
  7. Requires the business associate to make its books and records available to the Secretary of HHS for purposes of "determining the covered entities’ compliance."
  8. Requires the business associate to return or destroy all PHI at the termination of the contract.
  9. Authorizes the covered entity to terminate the agreement if it determines that the business associate has violated a material term of the contract.

Many of the required terms for a business associate contract ("BAC") are unlikely to alter existing duties and relationships. For example, most commercial agreements already limit the use of confidential information and require its return or destruction. (To comply with BAC requirements, such agreements would need to be modified to assure that PHI is included in the existing contract’s definition of "confidential information" or the like.)

The biggest challenges arising from the new requirements are likely to arise in connection with the required "access" and "audit" terms. Few business associates are likely to have systems in place to manage and track use of PHI to the extent required by the new rules. The cost of complying with their terms, moreover, may be substantial.

In addition, the requirement that business associates use "reasonable safeguards" to protect PHI is a bit of a wildcard. Most notably, HHS is completing final rules on security for PHI that, for covered entities, will be a partner to the new privacy rules and costly to implement. The risk to business associates is that the security rules will be imposed on business associates by virtue of their BACs.

Penalties For Non-Compliance With Business Associate Contracts

For business associates, there is good and bad news with respect to penalties for violating the new rules. Although the scope of the civil and criminal penalties specified in HIPAA are far from clear, on their face they appear applicable only to covered entities. In other words, a business associate may not face the civil and criminal penalties set forth in HIPAA upon breach of a BAC.

The bad news is that business associates won’t be able to take much solace from the limited applicability of the HIPAA penalties themselves. There are several reasons for concern.

First, most BACs will inevitably include severe indemnification requirements. A covered entity would be ill-advised to enter a BAC that does not require full indemnification for penalties incurred as the result of the business associate’s negligence or misconduct.

Second the access and audit provisions of the BAC will invite close scrutiny of a firm’s practices. Such security may well lead to various common law, state law, or federal claims against a business associate. For example, claims based on state or federal unfair competition, consumer protection laws, or other privacy laws may arise from failure to comply with a BAC.

Third, even if criminal penalties under HIPAA don’t apply to business associates, non-compliance might give rise to criminal liability under other existing law. Under some circumstances, for example, non-compliance with a BAC could possibly give rise to a criminal claim under mail and wire fraud statutes, the False Claims Act, RICO, and the like.

Conclusion

The new privacy rules enacted under HIPAA are among the most significant new enactments adopted as part of the recent wave of privacy legislation and regulation. The new rules have implications far beyond traditional health care businesses, and their implications should be considered by all businesses that use or have access to PHI as part of their operation.

Privacy Legislation in the UK –
A UK Lawyer’s Description of the Data Protection Directive

Today, the collection by organizations of data about individuals and the global movement of data operates at an unprecedented level (facilitated, to a large extent, by electronic communication technology). Businesses increasingly regard the data they collect as a valuable asset which can be used to increase profitability by means of direct marketing and cross-selling.

However, in the absence of EU-wide legislation governing use by organizations of personal data, organizations were largely free to deal with data as they wished. Against this background, the European Community adopted the Data Protection Directive in 1995 which required European Union (EU) countries to implement equivalent national legislation by 24 October 1998. Most EU countries have now complied and, in the UK, the Data Protection Act 1998 (the Act) came into force on 1 March 2000.

UK Data Protection Act 1998—The Principles

Before the Directive was adopted, the UK already had domestic data protection legislation. However, the Act has significantly expanded the rules on data protection so that UK businesses need to take new steps to comply with it.

Essentially the Act lays down eight principles with which organizations who process personal data must comply. ‘Processing’ is given wide meaning and refers to any action carried out in relation to data, e.g., collecting, holding, using, deleting etc. Put another way, there is no identifiable action which can be taken in relation to personal data which does not amount to processing

‘Personal data’ is defined as information which identifies a living individual, e.g., a name, email address, telephone number. Therefore, the name of a company does not amount to personal data but the contact information which a business has in relation to that company (e.g., the name of a Sales Director) will constitute personal data. The Act also defines ‘sensitive data.’ This includes information of a sensitive nature relating, for example, to an individual’s racial or ethnic origin, religious beliefs, sexual life or physical or mental health. When dealing with sensitive data, organizations (or ‘data controllers’ as referred to in the Act) are required to comply with increased requirements set out in the Act (see para 2.1 below).

First Principle—Fair and lawful processing

A fundamental principle of the Act is that data controllers must process data fairly and lawfully. In order to do that, data controllers must be able to justify their processing of data with reference to at least one of the grounds laid out in the Act. Generally, the justification for processing data will be that the individual concerned (i.e., the data subject) has given his/her consent to the processing. In some circumstances, data controllers may argue that the processing of data is in the legitimate interests of the business, particularly if it is impossible or impractical to obtain the consent of the data subjects.

However, when sensitive data is processed, an additional justification must be provided. The justifications for processing sensitive data are narrowly drafted and will generally require the giving of ‘explicit consent’ by the data subject to the processing. For consent to be valid, a positive response from the data subject is required. This could amount to a customer sending a form to a company when he/she registers or an online ‘click’ to consent.

Second Principle—Specified purposes

The Act states that data subjects must not be misled as to the purpose or purposes for which personal data is processed. Therefore certain information should be given to the data subject, including:

  • the identity of the data controller (and, if the data controller has obtained the individual’s information from a third party, a statement to that effect);
  • the purpose(s) for which the data is intended to be processed;
  • the party(ies) to whom the data may be disclosed; and
  • any other information which is necessary to ensure that processing is fair.

Data controllers may only claim an exemption from providing the above information if it would involve disproportionate effort.

Third Principle—Relevant

This simply means that personal data should be relevant to the purposes for which it is collected. Therefore businesses should make sure that they do not ask individuals for any information which is not necessary for the purposes of the transaction in question.

Fourth Principle—Accurate and up to date

Data controllers must take reasonable steps to ensure that data is accurate. This means that data controllers should only accept data from reliable sources and should take reasonable precautions to verify the information. It is likely to be reasonable for data controllers to rely on the data submitted to them by a customer unless there is an irregularity about it which suggests its inaccuracy, e.g., a website visitor called ‘Donald Duck’ from Disneyland

The Act does not expand on the requirement that personal data be kept up to date. A practical approach in relation to data collected via a website is to limit the ‘lifespan’ of website passwords given to visitors. The site could automatically require the visitor to re-enter personal details after, for example, a twelve-month period. In this way any inaccuracy in personal data will be corrected annually.

Fifth Principle—Not kept for longer than necessary

The Act does not expand on this principle. In practice, unless there is an obligation to maintain personal data for a specified period of time (e.g., attorney/client files, wages or tax records), it is suggested that the safest option is to retain data until the expiry of the period within which legal action could be taken. In the case of personal data collected via a website, a shorter time period may be preferable (e.g., twelve months). Whichever approach is taken, businesses should have a clear ‘retention of data policy’ in place for removal of obsolete data.

Sixth Principle—Rights of data subjects

One of the more notable aspects of the Act is the emphasis it places on the rights of data subjects in relation to their personal data. In particular, the data subject has the right to access all data held in relation to the data subject by an organization on payment of a fee (£10). This disclosure obligation extends to ‘manual data’ (i.e., hand-written data) as well as computerized data. This clearly has implications for Human Resources Departments in particular who will need to put procedures in place to be able to respond to these requests. Furthermore, Human Resources personnel will need to be aware (and possibly rec