In a significant development impacting all developers of certified Health IT and health care providers, the Department of Health and Human Services (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) announced an Interim Final Rule with Comment Period (“IFC”) delaying compliance dates and timeframes for information blocking and the health IT certification program. This delay will come as a welcome change for certain entities in the health care sector struggling to implement changes amid the COVID pandemic.” Read Kristin Bryan’s and Elliot Golding’s analysis on our sister blog, Triage Health Law,
On November 3, 2020, a majority of Californians voted to approve a new ballot initiative – Proposition 24, or the “California Privacy Rights Act of 2020” (“CPRA”). We previously issued alerts on the road to certification of this ballot initiative here. Below, we highlight the main points that businesses facing compliance with this new privacy law should bear in mind. We will provide further updates in the days and months to come, drilling down in detail on the provisions of CPRA and the new regulations when they are released for public comment. Continue Reading
Last month California Governor Gavin Newsom signed AB 713 into law, which more closely aligns CCPA to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws governing scientific research. Although these changes may help ease compliance challenges for the health care and life sciences industries, the changes only exempt from the CCPA certain types of data rather than exempt health companies entirely. Continue Reading
We continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller. See our previous issues on the draft Guidelines’ proposed updates to the concepts of processor here and on controller here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.
Part 3: Focus on Joint Controllers
What is new in the draft Guidelines?
The draft Guidelines incorporate the holdings of recent judgments of the Court of Justice of the EU (“CJEU”) that expand and clarify the concepts of controller and joint controller.
What are the criteria for classification as joint controllers?
The California Attorney General (“AG”) proposed changes to the California Consumer Privacy Act (“CCPA”) regulations on October 12, 2020. Many of the proposed changes align with provisions that the AG withdrew over the summer during the California Office of Administrative Law (“OAL”) approval process. Although most businesses likely won’t need to materially alter current business practices if the changes are accepted, some adjustments may be required in specific situations. The proposed changes address the following topics:
- the requirements relating to providing a notice of the right to opt-out to offline consumers;
- the need for the opt-out of sale process to be easy and to not impair the opt-out process;
- what proof a business can request from an authorized agent and a consumer when a consumer makes an individual rights request through an authorized agent; and
- additional privacy notice requirements for certain circumstances when businesses process personal information of minors under the age of 16.
The proposed regulations are now in a 15-day public comment period, which will end at 5pm PST on October 28, 2020. If you have any questions about the proposed changes to the CCPA regulations, the existing regulations, or the CCPA, please reach out to your regular SPB contact or the author of this piece.
This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”). This post focuses on the updates to the concept of controller. See our previous post regarding the concept of processors here. Upcoming posts will address joint controllers, “third parties” and “recipients.”
Please note that the EDPB has invited businesses to provide their feedback on the draft Guidelines by 19 October 2020.
Part II: Focus on Data Controllers
What is New in the Draft Guidelines?
Although the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR. Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks. It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorising data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors. Joint controller status will be the focus of our third blog in this series.
Controller determines purposes and means of processing
The basic criteria for determining what makes an organisation a controller remains the same as under the previous guidelines issued by the EDPB’s predecessor in February 2010 (“Opinion 1/2010 on the concepts of controller and processor”). This is unsurprising, since the EU General Data Protection Regulation (“GDPR”) has not changed the definition of controller that was codified by the 1995 EU Data Protection Directive 95/46/EC. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4(7) GDPR). The draft Guidelines reaffirm that the controller determines both the “purposes” and “means” of the processing of personal data. The purposes and means were interpreted as the “why” and the “how” of the processing in the 2010 Opinion. Control can be exercised over the entirety of a processing activity or only over a particular stage in the processing of the data.
Processors often have discretion as to the means of the processing, furnishing their own tools and technologies. The draft Guidelines suggest that this does not necessarily impact the role of the processors if such control is limited to non-essential means of the processing. As examples of such non-essential means, the draft Guidelines refer to “more practical aspects of implementation” – such as which hardware or software should be used. At the same time, controllers retain the sole control on the “essential means” of the processing, if they decide “which data shall be processed”, “which third parties shall have access to this data”, “when data shall data be deleted”, etc.
The draft Guidelines offer as an example the situation in which a company appoints a payroll administrator and notes that the “way in which the latter should carry out the processing is in essence clearly and tightly defined” even if the payroll processor may decide on certain matters “such as which software to use”.
The draft Guidelines observe that in some cases there is a thin line between the role of controller and processor, such as when companies appoint accountants. Often the accounting firm “decides itself, in accordance with legal provisions regulating the tasks of the auditing activities carried out by it that the data it collects will only be processed for the purpose of auditing the client and it determines what data it needs to have, which categories of persons that need to be registered, how long the data shall be kept and what technical means to use”. In such cases, the accounting firm acts as a controller. However,“[i]n a situation where the law does not lay down specific obligations for the accounting firm and the client company provides very detailed instructions on the processing, the accounting firm would indeed be acting as a processor.”
The controller role may stem from applicable legal provisions, that is, when the law determines the controller or establishes specific tasks for the organisation. The draft Guidelines provide as an example the processing activity of a municipality that has the obligation to provide social welfare benefits to citizens depending on their financial situation. Classification as a controller may also result from “factual influence.” The draft Guidelines also provide the example of a law firm that acts with a “significant degree of independence” when representing a client (noting also that the mandate is “not specifically targeted to personal data processing”). Factual influence includes amongst other things the terms of a contract or the “traditional roles and professional expertise that normally imply a certain responsibility” (as in the case of an employer with respect to the processing of personal data of its employees).
Access to personal data is irrelevant to be a controller
The draft Guidelines clarify, consistent with case law from the Court of Justice of the European Union (Facebook Fan page (C-201/16) and Jehovah’s Witnesses (C-25/17)), that organisations which do not have access to the personal data being processed on their behalf cannot exclude themselves from being a controller. So, for example, an organisation that engages a service provider to carry out a market study and only receives aggregated or statistical data will still be classified as a controller in relation to the personal data analysed in order to prepare the market study, if the organisation determines the means and the purposes for which personal data should be collected and the parameters of the study.
Control cannot be artificially allocated
As set out in the draft Guidelines, “it is not possible either to become a controller or to escape controller obligations simply by shaping the contract in a certain way,” or by appointing a natural person within one’s organisation to implement a processing activity and designate such person as the controller.
Continuous obligation to ensure processors and sub-processors provide “sufficient guarantees”
Controllers have the primary responsibility for compliance with the GDPR due to the accountability principle and other obligations imposed directly by the GDPR on controllers. The draft Guidelines stress the obligation of the controller to only engage processors that provide sufficient guarantees that the processing will meet the GDPR requirements. The EDPB clarifies that this obligation also applies to granting authorisation for processors to engage a sub-processor. In practical terms, this means that controllers should add an extra layer to their due diligence process for engaging service providers when the latter in turn engage sub-processors. Controllers should have contractual restrictions on the processor’s right to engage a sub-processor without the controller’s prior authorisation. There should be controls in place to check that the sub-processors provide “sufficient guarantees”. Where the controller grants a general authorisation, controllers should have the right to be informed of any changes to the list of approved sub-processors and an opportunity to object to any new sub-processors. The obligation to check that engaged processors and sub-processors provide sufficient guarantees is a “continuous obligation”, which requires regular verification that is ultimately the responsibility of the controller, even if the controller delegated the vetting of sub-processors to processors.
Emphasis on purpose limitation when sharing data with other controllers or joint controllers
The draft Guidelines also emphasise the duty of each controller to ensure that the personal data disclosed to another controller or a joint controller are not further processed in a manner that is incompatible with the purposes for which the data was originally collected by the controller disclosing the data. In case the personal data is intended to be used for additional purposes by the controllers or joint controllers receiving the personal data, they should contractually commit to have a legal basis for such processing.
The draft Guidelines also provide an interpretation of Article 28(3) GDPR reaffirming that written and binding agreements are necessary. The EDPB calls on controllers to add specific and concrete information on how processors are to comply with their GDPR obligations (additional detail may be found here). Specifically, the EDPB suggests adding procedures and template forms in contracts with processors to allow processors to assist controllers, where necessary (for example setting forth a detailed procedure that would apply in case the processor suffers a data breach or who does what in case the controller or the processor receives data subject requests, etc.) or to arrange for further instructions for such assistance.
A controller’s instructions should also cover international transfers of data outside the EEA. Where the processor is authorised to delegate some processing activities to other sub-processors, the contract must be clear on whether the controller allows for transfers to processors in third countries, including the processor’s own divisions or units in third countries.
The EDPB emphasises that the controller will not be able to escape responsibility in cases where it agrees to non-negotiable terms offered by large service providers acting as processors, and the terms violate the GDPR requirements. Consequently, controllers must assess their compliance risks and ensure that any such non-negotiable contracts do not impact their key processing activities involving personal data, key data subjects or major data flows.
How can we help?
We have assisted a number of organisations with the assessment of their role in relation to processing and in negotiating core business or high priority data sharing agreements between data controllers and data processing agreements between controllers and processors or a combination in a number of industries. Please contact the authors or your usual contact on the Squire Patton Boggs Data Privacy & Cybersecurity team for advice on documenting or negotiating these arrangements and roles.
The takeaways from this session will include:
- The essential elements of a privacy notice, including how and when to inform
- Critical steps to keeping the policy current
- The challenges with creating and updating policies
This program is pending for 1.0 hour of CLE in AZ, CA, NJ, NY and Ohio.
27 October 2020 – 4 p.m. CET/11 a.m. EDT
This is the first in a series of posts that discuss the key concepts and issues addressed in a set of draft guidelines recently issued by the European Data Protection Board (“EDPB”). Comments on the draft guidelines are due by 19 October 2020.
Part 1: Focus on Processors
On 7 September 2020, the EDPB published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.” Businesses and members of the public may provide feedback on the draft Guidelines by 19 October 2020. Continue Reading
The US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).
Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually. Continue Reading
Since the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process. Continue Reading