FTC FINALIZES CHANGES TO THE HEALTH BREACH NOTIFICATION RULE AND RECENT FTC RULINGS
The Federal Trade Commission (FTC) issued a final rule that updates the FTC Health Breach Notification Rule (HBNR).
The HBNR applies only to businesses or organizations not covered by the Health Insurance Portability & Accountability Act (HIPAA), and to identifying health information that is not secured through technologies specified by the Department of Health and Human Services (such as encryption). Under the HBNR, vendors of personal health records (PHR) (e.g., app developers, website operators and Internet-connected device manufactures that hold consumers’ personal information) and related entities, are required to notify individuals, the FTC, and, in some cases, the media of a data breach.
The update includes revised definitions, clarification of what the FTC considers a breach of security, new requirements for the content of breach notifications, changes to the timeframe for issuing notifications, and an expansion of the permitted methods for notifying consumers.
While the HBNR has been in effect for more than a decade, the FTC has only recently started enforcing compliance. The first organizations to face action over alleged violations were GoodRx and Easy Healthcare (Premom).
The Final Rule takes effect 60 days after publication in the Federal Register.
The key changes implemented by the Final Rule are:
- Modifying definitions and adding two new definitions for “covered health care provider” and “health care services or supplies”. These changes make the HBNR applicable to health apps and similar technologies that provides a mechanism to track anything from bodily functions to fitness to sleep, as well as the normal medical diagnosis and treatment.
- Revising the definition of “PHR-related entity” to make it clear that the HBNR applies to “entities that offer products and services through the online services, including mobile applications, of vendors of personal health records”, and that “only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities”.
- Updating the required content of consumer notifications to require third parties that acquired unsecured PHR identifiable health information as a result of a breach of security to be named, and expanding the means of providing clear and effective consumer notifications to include email and other electronic means of communication.
In addition, during the past month, the FTC finalized two settlements targeting businesses’ practices regarding sensitive data collection and monetization. The first settlement involved a data broker, X-Mode Social, and its successor Outlogic LLC (“X-Mode”), which were found to have sold precise geolocation data without proper disclosures or obtaining consent from individuals, violating Section 5 of the FTC Act. X-Mode was also found to disregard Android users’ opt-out requests. Similarly, Monument Inc., an alcohol addiction treatment firm (“Monument”), faced similar allegations of sharing personal data gathered through online tracking for retargeting purposes, allowing third-party advertisers to target specific individuals without consent. The complaint also highlighted Monument’s failure to impose contractual restrictions on third parties’ use of disclosed personal data for their commercial gains.
These settlements align with the FTC’s recent enforcement actions, demonstrating its commitment to restraining the collection, sale, or disclosure of consumers’ sensitive personal information. Businesses handling such data, particularly precise geolocation and health information, are urged to assess and ensure the presence of adequate contractual terms, obtain explicit and informed consent from individuals before processing their sensitive personal data, and respect opt-out requests.
SCRAPING WILL ALMOST ALWAYS BE A VIOLATION OF THE GDPR
The Dutch Data Protection Authority (AP) has published its Guidelines on Data Scraping (available in Dutch only) for private organizations, taking a firm stance on the legality of this practice. The guidelines emphasize that if the primary purpose behind processing data scraping is commercial gain, claiming a legitimate interest basis for scraping is not viable.
The AP does not view the development of scraping techniques (including web crawling) negatively and it is aware that it might be impossible to meet the requirements of the GDPR when scraping data. However, scraping does pose numerous privacy risks, as the data collected during scraping can encompass various aspects of an individual’s life, including sensitive information (such as location data or financial data), and since that there is a little that data subjects can do to prevent scraping of their data.
Legitimate interest as a legal basis
Although consent could also be seen as a valid legal basis in principle, it will practically be impossible to identify the applicable data subject as there is no direct relationship. Therefore, private organizations scraping data should establish and rely on the legal basis of “legitimate interest”, such that the society believe should be protected by law (must be included in the law). For example, as outlined by the AP, purely commercial interest cannot be relied as a legitimate interest, however scraping data for fraud prevention and security purposes can be considered as a legitimate interest.
Publicity is not consent
Although personal data have been publicly published by the data subjects themselves, for example when posting their photos on social media, it should not always be perceived that those data subjects have provided their consent for the scraping or for the processing of their data once it is scraped. However, in this case, the infringement that occurs when others receive these data will therefore normally be smaller than when using data that have not been made public by the data subjects themselves, but by someone else – for example, by an employer that places the name of its employees on its website.
It should also be noted that consent under the GDPR should be specific, meaning, to the extent the data scraped also includes personal data on third parties – such as family members, friends, or colleagues of that individuals whose consent has been obtained, this individual’s consent would not be sufficient.
Scraping activities should be assessed at the initial phase of production onwards (‘privacy by design’), where all applicable characteristics of your specific activity must be considered.
This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding of applicable regulations.
Regards,
Cyber, Technology, Compliance and Regulation team
Shibolet & Co.
