Regulatory

A potential path forward after the Irish Data Protection Commission enforcement decision regarding Meta Ireland

The Irish Data Protection Commission (DPC) has determined that Meta Ireland infringed Article 46(1) of the GDPR when it “continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.” The DPC has given Meta Ireland 6 months to find a solution. This is just enough time to create the possibility of a road forward; a possibility which is contained primarily in the effective implementation of proposed European - U.S. Data Privacy Framework on the part of the U.S. and the EU.

WPF on EASA: Self-Regulation on Online Behavioral Advertising No Longer Credible

Comments on EASA --The World Privacy Forum submitted comments today on the European Advertising Standards Alliance's Best Practice Recommendation on Online Behavioural Advertising. Our comments focus upon three key areas: First, the EASA recommendation fails to recognize the protection of consumer privacy in Online Behavioral Advertising (OBA) as a key policy goal. Second, the recommendation's protections are narrow, creating illusory protections for user privacy, whether or not they opt out of OBA. Finally, we critique the oversight and compliance mechanisms, which are not likely to foster consumer confidence nor police the industry. Drawing upon the WPF's 2007 report, The NAI: Failing at Consumer Protection and at Self-Regulation, the comments argue that EASA's approach suffers from the same weaknesses as self-regulatory approaches deployed in the United States, and that European lawmakers should not replicate the failed American approach. Law students from the Samuelson Law, Technology & Public Policy Clinic helped draft the comments as part of an ongoing project on consumer privacy and OBA.

New Report on US Department of Commerce Privacy Track Record

Department of Commerce and Safe Harbor -- New Report The World Privacy Forum published a new report today that evaluates the US Department of Commerce's work on privacy protection for consumers, given its role overseeing such critical programs as the US/EU Safe Harbor data agreement. The report, The US Department of Commerce and International Privacy Activities: Indifference and Neglect, identifies a number of issues of concern regarding the Department's privacy programs, most particularly, the current Safe Harbor framework. The report's analysis find that three separate studies consistently show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under Safe Harbor.

World Privacy Forum comments on genetic non-discrimination to HHS

Genetic non-discrimination regulations (GINA) -- The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan's web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.

WPF updates Red Flag report

WPF Red Flag Report -- The World Privacy Forum has updated its Red Flag report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The update reflects the new effective date of the Red Flag Rule, (November 1, 2009) and incorporates other minor updates in the text. This report replaces the original Red Flag report published September 2008.

WPF asks Treasury to get consumers' consent before checking their credit reports

Financial privacy - Privacy Act -- The World Privacy Forum filed comments today urging the U.S. Treasury Department to obtain consumers' consent before checking their credit reports. Consumers who participate in the government's Home Affordable Modification Program (HAMP) -- an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes -- must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of "Routine Uses" in a Privacy Act notice published along with the proposed system of records for the program. The World Privacy Forum has objected to this, and has filed detailed comments with the Treasury about the lack of consumer consent. The public comment period on this program is open until September 4, 2009.

FTC issues final rule on health data breaches

Health data breach rulemaking -- The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.

World Privacy Forum files comments with HHS regarding data breach guidance

Public comments re: health data breaches -- The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.

World Privacy Forum files comments on proposed genetic discrimination regulations

Genetic Privacy | GINA -- The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.

New privacy rules for schools released; World Privacy Forum comments had positive impact for student and parent privacy

School privacy | FERPA -- In May 2008 the World Privacy Forum submitted detailed comments on proposed changes to the Family Educational Rights and Privacy Act regulations (FERPA). The FERPA regulations are the rules that control how schools treat and release student information. The final FERPA regulations have now been published and reveal that the World Privacy Forum comments had a positive impact. The new regulations agreed with WPF's comment that if a school requests a Federal tax return from a parent, that the parent has the right to redact all financial information from the form, and affirmed that the school does not have a requirement to ask for the tax form in the first place. The regulations also agreed with the WPF comment that the risk of re-identification of published student information is cumulative, and made recommendations that educational institutions take into account all releases of student information it has made, not just new releases.

World Privacy Forum files comments on proposed rules regarding Patient Safety Organizations

Patient Safety Organizations | Proposed rulemaking -- The World Privacy Forum filed extensive comments today regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations.