Privacy

Only minutes passed between first learning of the Paris attacks and confirming that our son, studying abroad in France, was safe. But it seemed to last a lifetime. My wife and I were with him in Paris just two weeks earlier, strolling happily a few blocks from where slaughter would soon visit the Bataclan Concert Hall and La Belle Equipe. Then, like a sick, twisted Groundhog Day, it felt like 9/11 all over again.

The Paris terrorism has rekindled an ongoing debate over government surveillance power, personal privacy, and cybersecurity. In this crucial, consequential debate, it behooves us to remember that terrorism’s goal is to trigger emotional, extreme reaction, and that perspective and balance are the antitheses of violent radicalism.

You’ve no doubt heard that on Tuesday the European Court of Justice declared the U.S.- EU Safe Harbor invalid. Under European law, the transfer of EU citizens’ personal data to a third country may only occur if the third country ensures adequate protection of that data. A European Commission decision in 2000 declared the United States’ laws and policies provided such adequate protection, through the vehicle of the U.S.- EU Safe Harbor FrameworkNearly 4,500 U.S. companies partake of Safe Harbor protected status – at least until this week’s European Court of Justice’s ruling pulled the plug.

As a result of this ruling, each of the European Union’s 28 national data protection authorities (“DPAs”) now has the power to establish its own rules and regulations for data transfers. Although the U.S. and the European Commission are engaged in continuing negotiations for “Safe Harbor 2.0,” there is no certainty about when the new framework will be established, or even what the framework will be. In the meantime, the question looms – what will the national DPAs do?

It may still be September, but to countless retailers, Halloween is already here. Passing by displays of spooky items while shopping, the ’80s haunted-house music video “Somebody’s Watching Me” comes to mind: “I always feel like somebody’s watching me, and I have no privacy” (yes, Rockwell has attribution, but Michael rocks the chorus).

The paranoid fellow in the video was worried about the IRS and the mailman – how quaint. In today’s world, high on many consumers’ “creepy stuff” lists is the use of mobile technologies by a growing number of retailers to track customers’ movements in their stores.

Cancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.

“Sorry.” Music service Spotify joins the club as the latest company to apologize to its customers for proposed privacy policy changes. When it comes to bad press, it would be tough to beat Minecraft-founder Markus Persson’s tweet about Spotify: “Hello. As a consumer, I’ve always loved your service. You’re the reason I stopped pirating music. Please consider not being evil.” Spotify promptly threw itself on the mercy of its customers in a short written apology.

While the scope of Spotify’s policy exceeds the scope of data that most companies seek to obtain, it’s a good reminder for all companies to review their own privacy policies. As a company reviews its privacy policy, it should consider these key questions:

Folks of a certain age, and fans of “Guardians of the Galaxy’s” Awesome Mix vol. 1, have a hard time forgetting that late ‘70s song by Rupert Holmes, “Escape” (“If you like piña coladas, getting caught in the rain….”). But for millions of subscribers to infidelity website AshleyMadison, there’s no easy escape from hackers’ public disclosure of subscribers’ personal information. In the ensuing schadenfreude-field-day, and amidst early reports of extortion attempts and even suicides, there’s an important lesson to remember. Whether or not a company’s business model is broken vows, broken promises in a privacy policy can have severe repercussions.

Healthcare is trending toward value-based payments. Back in January, Sylvia Burwell of the of the U.S. Department of Health & Human Services announced Medicare’s move toward paying providers based on quality, rather than quantity, of care they give to patients. Secretary Burwell emphasized the importance of alternate payment models, including accountable care organizations (“ACOs”). Regardless of whether you are for or against value based payments, ACOs are will play a big role in the future of healthcare, and many providers will find themselves involved in an ACO. So, what are the privacy and security issues associated with being an ACO participant?

Employers commonly use video surveillance for safety, security, loss prevention, and employee productivity monitoring. But employers’ legitimate business interests in protecting assets and safeguarding the workplace must be carefully balanced with employees’ reasonable expectations of privacy. As the definition of workplace privacy continues to develop, employers must be conscious of the evolving legal risks of workplace monitoring.

The U.S. Department of Education is urging institutions to include privacy protections that reach beyond the Family Educational Rights and Privacy Act (FERPA) in contracts with app and other online educational service providers. Guidance from the Department’s Privacy Technical Assistance Center (including model contract terms and a basic employee training video) provides insight on