New York AG Settles Data Protection Enforcement Against Mobile Health Apps
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General (NY AG) settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor.
Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised.
When to Carry out a DPIA
DPIAs are a key part of the GDPR accountability principle, and have to be carried out if a processing activity is “likely to result in a high risk” to data subjects. The Working Party’s guidance clarifies this phrase, and provides a series of concrete criteria which might trigger a DPIA, including:
- “evaluation and scoring” of an individual (e.g. profiling), especially where it relates to an individual’s performance at work, health, behaviour, location or movements;
- automated decision-making which would be subject to Article 22 GDPR;
- use of sensitive data, i.e. processing special categories of personal data or data relating to criminal convictions;
- processing on a large scale;
- using datasets that have been matched or combined, for example, combining data you have collected with data purchased from third-party data brokers;
- data concerning vulnerable subjects, such as employees (as their relationship with their employer is not an equal one), children and the elderly; and
- processing which might prevent individuals from exercising a right, using a service or entering into a contract. This would include processing that might prevent a data subject from entering into a contract such as bank screening on the basis of credit referencing and processing of personal data in publicly accessible areas, for example through CCTV.
On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:
- 61% of businesses hold personal data electronically;
- 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to 51% of those that hold personal data on customers, 66% amongst medium-sized firms and 68% amongst large firms;
- The most common breaches involved members of staff receiving fraudulent emails. This demonstrates that technical measures can only take an organisation so far, and that strong procedures and training are vital;
- External reporting of breaches is still not common – only 26% of companies reported their most serious breach to someone other than a cybersecurity company who could assist with solving the problem. This will have to change where personal data is lost under the GDPR;
- Only 37% of businesses have any rules around encryption of personal data, and 37% of businesses have segregated wireless networks; and
- Only 13% of businesses require their suppliers to adhere to specific cyber security standards.
A close observer of the GDPR will have noticed that, in several places, individual EU Member States can implement derogations from the GDPR requirements. Of course, as a regulation under EU law there is less scope for local flexibility under the GDPR than under the current EU Data Protection Directive 95/46. Yet the GDPR does, in a number of key areas, allow an EU Member State to set down local laws that could allow a more locally relevant flavour to a particular aspect of compliance.
While the prospect of different local flavours may be unwelcome to global businesses seeking to maintain a harmonised standard of compliance across the EU (one of the policy aims of the GDPR of course), clearly the EU policy makers and legislators considered that Member States must be given room to implement their own rules in certain areas. For instance, Member States may introduce further rules around the use of genetic data, biometric data and health data.
On 11 April 2017 the Cyberspace Administration of China published a circular calling for comments on its draft Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures (the Draft Export Review Measures). Public comments are open through 11 May 2017.
The main legislative purpose of the Draft Export Review Measures is to clarify the process and requirements relating to the data localisation provisions in the Cyber Security Law, one of the most controversial aspects of the law. While the Draft Export Review Measures do add a significant level of implementing detail as to the practicalities of compliance, we expect that for many multinational corporations with operations in, or doing business with, China, the nature of the clarifications do not go in the direction that they would have wanted. In particular, the Draft Export Review Measures include a significant expansion of the scope of the localization measure, potentially applying to all businesses collecting data in China.
Hogan Lovells has released a guide highlighting the key provisions in the Draft Export Review Measures, including an overview of the significant points for commentary. The full guide is available here. Please refer to the contacts at the end of the guide for related inquiries.
In this IP Enforcement Focus v-log, we report on a recent decision of the German Supreme Court dealing with illegal file sharing which has received a lot of attention.
The case centres on how the court views secondary liability of Internet account holders where family members or groups are involved?
Click here to view the V-log
IP Enforcement Focus is a series of written, video and audio posts which plug into your current enforcement issues. Click here to subscribe to IP Enforcement
Germany has introduced a new “Regulation for the Operation of Unmanned Aircraft Systems” (“Drone-Regulation“). On 7 April 2017, the new Drone-Regulation entered into force adapting national legislation to the risk-based approach of the European Union and setting the way for innovative technologies. However, the new rules also contain identification and qualification obligations as well as strict authorisation requirements for specific operations of Unmanned Aircraft Systems (“UAS”).
Some aspects of Germany’s new UAS regulations parallel the Federal Aviation Administration’s (“FAA”) Small UAS Rule (Part 107) that went into effect in the United States last August. Similar to the rules adopted by the FAA, Germany’s new UAS regulations place general restrictions on operating UAS beyond visual line of sight (“BVLOS”) and limit operations over people. Notably, however, Germany’s new regulations also provide a pathway for authorizing more advanced commercial UAS operations that go beyond the scope of the regulations in circumstances where it is safe to do so. This is similar to the waiver process adopted by the FAA in Part 107 for authorizing operations beyond the scope of the rule.
Enabling future technologies, abandoning authorisation requirements for UAS below 5 kg
Germany recognizes the great potential inherent in drones in the private as well as the commercial sector and tries to reconcile the immense potential of future technologies with increasing privacy concerns. To achieve this goal, the new regulation introduces changes mainly to the current German Air Traffic Regulation (“Luftverkehrs-Ordnung“), i.e. generally abandoning the former distinction between Flight Models (RC Aircraft) and UAS and the general obligation to obtain an authorisation for UAS operation.
The UK ICO has published what it describes as a feedback request on profiling and automated decision-making, with the intention that responses will “help inform the UK’s contribution to the WP29 guidelines due to be published later this year.”
Given the growing importance of profiling to most businesses, companies should consider whether they wish to contribute their views, particularly on areas where they consider more guidance is needed on what GDPR’s requirements mean in practical terms. For example, the GDPR focuses on profiling that has a “legal” or “significant” effect, and the ICO discussion paper contains its “initial thoughts” on what might constitute significant effects, which includes “causing individuals to change their behaviour in a significant way.” As the ICO acknowledges, what amounts to a “legal” or “significant” effect can be somewhat subjective, and so this is an opportunity for businesses that engage in profiling to put forward their opinions and influence future guidance.
The deadline for responses is 28 April.
2016 was an eventful year in the Asia-Pacific region, as data protection and cyber security issues increasingly feature in the news headlines in the Asia-Pacific region as they do elsewhere, our annual publication, the 2017 Asia-Pacific Data Protection and Cyber Security Guide provides you with an update on key regulatory developments and emerging trends in data protection and cyber security.
Key developments include:
- China’s passage of its Cyber Security Law, which will take effect from 1 June, 2017. China’s approach to cyber security regulation is highly controversial, introducing data localization measures and invasive forms of technology regulation. Multi-national businesses across a range of industry sectors are concerned about the impact of this new, vaguely drafted law. Businesses in sectors such as banking and insurance have significant concerns about what the new law will mean for their operating platforms in China. Technology businesses fear that they may be excluded from markets altogether.
- Amendments to Japan’s Act on the Protection of Personal Information will take effect next month, introducing a data export control, measures for dealing in anonymized personal data and removing exemptions for small businesses. Critically, Japan will now have a dedicated data protection regulator responsible for administering and enforcing the law.
- The publication of the Implementing Rules and Regulations for the Philippines’ Data Privacy Act of 2012 saw elements of the EU General Data Protection Regulation adopted into law, including a 72 hour data breach notification obligation, special requirements in relation to consents to profiling and a right to data portability.
The pace of regulatory development is rapid and multi-national businesses with operations in the Asia-Pacific region will want to stay abreast of the issues.
Our team would be delighted to share further insights with you.
Please click here to view the guide in full.
Welcome to the Hogan Lovells Global Payments Newsletter. In this monthly publication we provide an overview of the most recent payments, regulatory and market developments from major jurisdictions around the world as well as sharing interesting reports and surveys on issues affecting the market.
Key developments of interest over the last month include:
- EBA publishes final draft RTS on Strong Customer Authentication: the EBA released the draft RTS mandated by PSD2 on 23 February 2017. Key changes from the previous draft include the banning of “screen scraping” and new exemptions to the requirement for strong customer authentication.
- HM Treasury publishes draft AML Regulations and response to consultation: On 15 March 2017, HM Government published its findings from the consultation on the Fourth Anti-Money Laundering Directive. It has also published the draft AML regulations which contain a number of additions to the existing AML regulations.
- EBA consults on guidelines for complaints of infringements of PSD2: the EBA published draft guidelines for competent authorities on the complaints procedures to be considered by PSPs to ensure compliance with PSD2 on 16 February 2017.
To view a PDF of the full Newsletter please click here. You can also follow us on Twitter at @HLPayments for regular news and updates.