[Cross-posted from the Genomics Law Report blog]
By John Conley
Over the last five or so years my law practice has focused increasingly on privacy law, both domestic and international. In hindsight, this was a predictable outcome: as an intellectual property lawyer, many of my clients do business on the Internet or are engaged in scientific research and development, with many of the latter in the health care area. These are the very kinds of people who need to worry about privacy—of their customers, users, patients, and subjects. As they started on focusing on privacy concerns, these clients turned to their IP lawyers for help, and my Robinson Bradshaw colleagues and I have tried to stay ahead of their needs.
As a consequence of my growing privacy practice, I am regularly called on to give overviews to other lawyers as well as non-lawyers in the scientific and business communities. I thought it might be useful to devote a GLR post to a privacy law summary targeted at readers who conduct medical and other scientific research. Privacy law is a transnational mess, so this will be a bit longer than I’d like—my apologies, and please don’t shoot the messenger—but I’ll try to cut through the legal jargon.
Sources of Modern Privacy Law
In the United States, there is no general federal privacy law yet. Federal laws are sector-specific, covering such areas as health (HIPAA), finance, and online businesses that target children. In addition, the Federal Trade Commission is beginning to assert itself as a general regulator of privacy. There are also some federal criminal laws and principles that have privacy implications (anti-wiretapping laws and protections against unreasonable searches, for instances), but these are beyond the scope of this discussion.
In the absence of a comprehensive federal privacy law, the states are the most important source of general privacy law. California has long been the leader, and remains so. Hence one piece of advice I always give to clients: comply with California law and you’ll be 99% safe everywhere.
The development of international privacy law has been driven by the European Union, with other countries (except the U.S.) following its lead and adopting EU-style laws. The EU approach is fundamentally different from that taken in this country. The development of U.S. privacy statutes, both state and federal, has largely been driven by a concern with the financial consequences of identity theft. Thus, most American laws protect “personally identifiable information,” usually defined as a name, social security number, or the like, that is linked to an account number or other financial identifier. In Europe, by contrast, privacy is treated as a fundamental human right—what Americans would think of as a constitutional right. This is understandable, since there are millions of people in Europe with a living memory of storm troopers or secret police knocking on doors in the middle of the night and dragging people away. Consequently, EU privacy law is generally far more protective than American, protecting any kind of personal information, prohibiting any kind of intrusion on privacy or seclusion, and putting a much greater burden of compliance on businesses and other private actors (but not always on governments—think of the ubiquitous surveillance cameras that saturate the United Kingdom).
Four Waves of U.S. State Privacy Laws
State privacy laws have come in what privacy experts refer to as “four waves.” The first, toward the end of the last century, consisted of antihacking laws, both criminal and civil. The second or “reactive” wave, led by a 2003 California law, required notification to potential victims of data security breaches. The third, “proactive” wave (and my apologies to literate people everywhere for having to use that dreadful word), again stimulated by California legislation, requires that entities holding personally identifiable information use “reasonable security procedures and practices.” The fourth wave of state laws, which are just beginning to be enacted, require such specific security measures as encryption and physical and technical controls. A parallel development is that California and other states are moving into the health sector with privacy requirements that may be more onerous than those imposed by HIPAA.
It is important to emphasize two things about these state laws. First, unless specifically displaced (“preempted,” in legal terms) by a federal law like HIPAA, you should assume that they will apply to medical and other scientific research unless they are specifically displaced. Second, they usually apply to all kinds of data storage, from paper records to the cloud. In fact, there is little privacy law anywhere that relates specifically to the cloud, so cloud-using researchers must try to adapt the existing rules to that environment.
The FTC has promised a collaborative, “soft-law” (best practices rather than rules) approach, but there are skeptics (including me). The FTC issued a Privacy Framework report in March 2013 that fills in many details of its evolving standards and regulatory plans. Even though many research organizations are not subject to the FTC’s jurisdiction, it would be prudent to assume that other regulators will look to the Privacy Framework for guidance in developing their own standards. Accordingly, it would make sense to treat the FTC framework as, at a minimum, a set of best practices to consult in shaping your organization’s privacy program.
HIPAA restricts unauthorized use of personally identifiable health information to care-related activities by providers and their “business associates.” However, unauthorized research use or disclosure is permitted, as long as they are approved by an Institutional Review Board. De-identified health data are generally not restricted. Overall, HIPAA requires “reasonable and appropriate administrative, technical, and physical safeguards” in the handling of health data. These rules should apply to cloud computing, and Cloud Service Providers are probably business associates covered by HIPAA.
International Law: The EU Approach
The EU is currently operating under its 1995 Data Protection Directive. A Directive is a detailed standard that individual member countries must adopt through national legislation, a process that inevitably produces country-by-country variation. Thus, compliance currently requires familiarity with both the directive and the national laws of the particular countries in which research data will be collected, processed, or stored. A 2012 Data Regulation (an EU-level law that takes effect automatically in all member countries) is pending, with many of its details still being debated. It seems likely to get final approval in the next several months, but we’ve been hearing that for more than two years now.
The core features of the 1995 Directive include the following:
- It covers all personal data: anything identifiable to a person.
- Health-related and genetic data are always sensitive, and thus subject to enhanced protection.
- The burden of compliance is on the controller—the party that directs processing, which includes collection, storage, transmission, or analysis of the data.
- Consent of the data subject is generally required for any processing.
- Processing must be for legitimate purposes and proportional to those purposes.
- The subject has rights of access, objection and opt-out.
- The controller must ensure the security and integrity of the data.
The 800-pound gorilla in the 1995 Directive is a set of rules concerning transferring personal data to non-EU countries. These rules clearly apply to medical and scientific research data. Transfer is generally forbidden unless the EU has certified the recipient country as providing EU-level privacy protection. The U.S. does not meet this standard. The following alternatives are available:
(1) Enter the U.S. Department of Commerce Safe Harbor, whereby a U.S company certifies that its policies and practices meet EU standards. However, the EU has sent strong signals that it may drop out of this program, and it is not available for nonprofits in any event.
(2) Use EU-approved contract terms between the data exporter and importer. The U.S. party must provide EU-level protection, “respond” to EU mediation and “accept” the decision of a European national court—though it can contest jurisdiction, which seems a bit contradictory.
(3) Do the same thing through “binding corporate rules,” through which an American company adopts the EU principles and provides mechanisms for ensuring compliance.
None of these approaches has gained much traction in this country, with American companies generally ignoring the problem.
The pending 2012 Privacy Regulation will follow similar principles but also make some significant changes. The proposed changes include the following:
- Scope: The Regulation protects anyone who can be reasonably identified from the data, and applies to all data processing activities by entities “offering goods or services” to people in the EU or “monitoring their behavior.”
- Remedies: Private lawsuits can be brought in a plaintiff’s national court, and the EU can impose administrative penalties up to the greater of 1 million euros or 2% of gross revenues.
- The burden is on the controller to prove “explicit” consent by subjects.
- “Right to be forgotten, and to erasure”: Under this most controversial provision, if a subject withdraws consent, the controller must render the data inaccessible, even if on the Internet. (Note, however, that last year the Court of Justice of the EU found that there is a right to be forgotten under existing law.)
Again, remember that countries around the world—with the notable exception ofthe U.S.—have followed the EU’s lead in enacting privacy laws. Expect that most other countries, especially in the developed world, will have privacy laws that follow the principles of the 1995 EU Directive. In the future, an international move in the direction of the new Regulation can be expected.
Medical and Scientific Research under Current EU Law
All medical data, and much other scientific research data, will be characterized as “sensitive” and thus subject to the highest level of scrutiny and restriction. Since the Directive has been implemented at the national level, there is significant country-by-country variation in the rules pertaining to research—which, by the way, tend to be detailed and complex. Nonetheless, it is possible to simplify compliance for a multinational research project by creating an “establishment” in one country and centralizing the project there. Many American observers believe that the UK offers the most research-friendly environment in which to set up an establishment (in addition to avoiding language barriers).
Critical country-by-country regulatory variables include: whether the approval of the national Data Protection Authority is required before collecting data; whether individual subject consent is necessary and, if so, is sufficient in order to collect or export particular kinds of data; and whether de-identified or anonymized data is exempt from regulation.
The Effect of the Proposed Data Regulation
The original draft of the Regulation had a number of fairly clear research exemptions. However, there is in ongoing debate about the final version among the EU Parliament, an expert group called the Article 29 Working Party, and innumerable research and privacy advocates—people we Americans would call lobbyists. The issues being debated include the status of “pseudonymous” data (de-identification and anonymization don’t appear to be taken seriously as a technical matter) and the nature of subject consent that will be required for research. Like everything else with the Regulation, the final outcome remains uncertain.
In what might be the most significant recent development in the non-governmental arena, in October 2014 the International Standards Organization published best a practices code for cloud computing. Rather than specifying outcomes, it focuses on architecture and processes. Not surprisingly, given the EU’s dominance in international privacy law, the code has been EU-driven and is EU-like. Although these best practices are not law, they could well be read into legal definitions of “reasonableness” imposed by courts and agencies. Microsoft adopted the standards in February 2015.
Summary: Five Keys to Compliance
On a practical level, researchers should focus on these five keys to compliance with these various state, federal, and international laws:
- Comply with California law and you’ll usually be in compliance with other states’ laws.
- Comply with relevant federal sector law—in most research contexts, it will be HIPAA.
- Watch out for the FTC—even if you’re a non-profit, the FTC’s standards may have influence.
- Outside the U.S., comply with EU law—but it’s changing.
- Assume that all of this applies to the cloud, and will apply to future storage and processing environments.
This post originally appeared on the Genomics Law Report blog on September 1, 2015.