Exception to Privacy

1. Privacy issues with investigations and litigations:

a. Co.’s just done want to give your privacy information to the gov’t or opposing party
— don’t have a choice in discover/litigation, but you do elsewhere (proprietary info
(don’t want govt to release information)/ puts co. in negative light/ competitive
disadvantage/ regulatory enforcement).

Statutes that REQUIRE disclosure: FDA (disclose recall reasons)/ HIPAA (give PHI — med.
condition such as abuse, gun shot, immunization records, specific transfer disease) / Bank Secrecy
Act (evidence of money laundry)/ Patriot Act (terrorist activities)/ OSHA (workplace)/ State
Specific Laws (labs must notify DOH if you have covid-19)/ Civil Investigative Demand (45)/
Court Order (issue above)/ Criminal Proceedings or Subpoena (warrant & probable cause).

Permitted disclosure: HIPAA Privacy Rule TPO (public health, national security)/ Patriot Act (law
enforcement access computer when interception allowed by owner; color of law in investigation;
contents of computer are relevant to investigation; just need what’s been transmitted).

Forbidden disclosure: HIPAA & COPPA (cannot disclose PHI of penitent unless required (to third
parties), unless there is opt-in consent, or another exception)/ GLBA (need consent for disclosure to
third parties except for permitted disclosure to third parties)/ Website Privacy policies (lots of
websites of companies not covered by GLBA also give opt-outs, and disclosures in violation of such
promises may trigger §5 of FTC/ company Privacy policies (violations of Section 5 of FTC Act)/
Privileged Communications (attorney-client; Husband-wife; Clergy; Physician-patient).

2. Civil litigation: Public Access to Information (FOIA; court records; motion for protective
order/seal records (26(c)) — needs to be relevant to the case). For example, HIPPA Privacy
Regulation specifically addresses when protected health information may be disclosed during
discovery:
a. First, a covered entity may disclose PHI if the subject of those records authorizes their
release.
b. Second, absent a release, a covered entity may release PHI subject to a court order.
c. Third, a covered entity may disclose PHI subject to a discovery request if satisfactory
assurances are provided. An assurance is satisfactory under HIPAA if the parties seeking
the request for information have agreed to a qualified protective order and have submitted
it to the court, or if the party seeking the information has requested a qualified protective
order from the court.
i. A qualified protective order requires both that the parties are prohibited from
using or disclosing the PHI for any purpose other than the litigation and that the
PHI will be returned or destroyed at the end of the litigation.

3. Law Enforcement: criminal investigations are an occurrence for a company to disclose PI.
a. The 4th Amendment comes up because it is applicable based on probable cause, limits
searches and seizures, and addresses wiretaps
i. What a person knowingly exposes to the public, even in his own home or office,
is not subject to the 4th. Visa Versa is protected.
b. Electronic Communications Privacy Act (ECPA) says that interception of wire, oral,
and electronic communication is a crime (with exceptions) and has a PRIVATE RIGHT
OF ACTION.
 i. Both people on the call need to give consent (e.g., “your call may be recorded for
[x] purpose”)
c. Stored Communications Act (SCA) prohibits unauthorized acquisition, alteration or
blocking of electronic communications while in e-storage in a facility. Criminal penalties
or civil lawsuits if violated.
d. Communications Assistance to Law Enforcement Act (CALEA) applies to
telecommunications and Internet service industry. FCC.
e. Right to Financial Privacy Act (RFA) PROHIBITS disclosures by financial institutions
unless customer authorizes, appropriate administrate subpoena or summons, qualifies
search warrant, appropriate judicial subpoena, appropriate formal written request from
government authority (BE AWARE), Consumers must be given notice.
i. Right to challenge. Penalties to wrongful disclosure include private right of
action, punitive damages, and attorneys’ fees
f. Privacy Protection Act (PPA) added protection to members of media and media
organizations from government searches or seizures during criminal investigation (unless
the reporter is suspected of committing a crime). NEED search warrant(s) AND showing
of probable cause. Violations — penalties of $1,000, actual damages and attorney’s fees.

National Security
1. Foreign Intelligence Surveillance Act of 1978 (FISA) telecommunications and Internet service
providers releasing data to law enforcement for national security.
a. Granting IMMUNITY to the phone companies so they would not be liable for records
they had provided to the government because of 9/11. Authority between President and
judicial branch.
b. National Security Letter: Section 215 federal court order to produce tangible thing for
defined foreign intelligence
c. FISA requires the purpose to be for foreign intelligence, it be a significant purpose of an
investigation, for surveillance of foreign powers or agents of foreign powers.

Cybersecurity Information Sharing Act (CISA) enacted in 2015 and allows the federal government to
share unclassified technical data with companies about how networks have been attacked and how
successful defenses against attacks have been carried out.
California Consumer Privacy Act (CCPA)*
Generally: CA consumer designed law. Meant to give the consumer power to decide how a business
disclose, use, sell, collect PI.

Threshold Inquiry: Do you do have any business in CA?

 Threshold Exceptions:
o Does not apply for employees
o B2B information
o Business is wholly outside CA
o Warranty or recall on information
o Other US law applies

Scope & Applicability: Applies to any for-profit company that does business in CA. (Size of business
does not matter)

Requirement (one must apply + SA):

 Gross annual income of > $24 million
 Collect, store, sell more than 50K CA PI
 Selling CA residents PI makes ≥ 50% of annual income

CCPA defines PI: any nonpublic information that may reasonably identify, relate, describe, or otherwise
be associated with either directly or indirectly a particular person or their household.
 Identifiers (Name; email; address; IP address; SSN; DLN; acct name; passport #)
 Character protected information (race; religion; sexual orientation)
 Commercial information (past purchases; consuming tendencies based on ads)
 Biometric information (eyes, hair, fingerprint, voice, hand)
 Geolocation (coordinates)
 Professional/Employment & Educational related information

Individual Consumer Rights:

 Right to notice (provided at or before business collects PI)
o Includes:
 PI to be collected (what)
 Purpose for collecting (why)
 “Do Not Sell My PI” if business sells info, include hyperlink/web address
o Means of notice (ordinary language & ADA compliant):
 Website
 Email
 Hardcopy
o Job applicants must receive notice
 Employees & Independent Contractors in CA (who)
 Inform of what; why; don’t have same rights as customers; one-year exemption
 Right to Request and Receive Disclosures
o Consumer (not employee) tell ask business for
 Categories of PI collecting
 Source of collection
 Purpose for collecting and selling
  Third parties PI is shared to (and if sold)
 Right to Deletion
o Request business and third party “service providers” to delete PI collected/maintained
o Exceptions
 Needed to complete transaction
 Needed to detect security incidents
 Needed to debug or repair errors
 Free speech
 Scientific, historical, research use
 Internal use only (expectation of consumer)
 Legally obligated to retain
 Right to Data Portability
o Information requested by consumer must be delivered how they specify
 Right to Opt-Out (of sale of PI)
o Inform consumers about option
o How to enact
 Web form
 Offline method
o Instructions to submit
o Exception
 Business does not (communicates that) sell PI
 Right to Opt-In for Children’s PI
o No selling to minor unless given express consent and is between 13–16
o COPPA restrictions apply
 Right to Opt-In to Financial Incentive Programs
o Opt-In required before permitting
o Consumer can make money from selling their PI

Responsibilities when Complying with CCPA

 First notify consumers of their rights. Method for submission (to access, delete, amend
information) must be accompanies by at least two ways to do this including how to do this.
o Verifiable request to allow someone to exercise their rights.
 Response time for access and deletion requests:
o 10 days to conform
o 45 days to adhere (after verification confirmed)
o 45 days addition if notice to consumer stating why
o 15 days to fulfill opt-out request
 Cannot discriminate against consumer for exercising their right
o Website must be ADA compliant (if visually impaired, website needs to update tech to
comply)

Enforcement for violations

 CA AG will enforce up to $2,500 per reckless and $7,500 per willful
 PRA available
o Bring suit if data breach resulted from exfiltration, theft, or disclosure of non-encrypted
or non-redacted PI (business did not implement and maintain reasonable security
procedures and practices)
o Statutory fines of $100 – $750 per
o Companies have 30 days to cure (written notice)
o Only available defense: perfect data security & there were no flaws.
Eight FIPs (use this order. First three are limitations) — PCUQTACA
1. Purpose limitation. (If I want to collect personal data, I must identify the purpose for which I am
identifying it. (No fishing expeditions)).
2. Collection limitation. (After identifying the purpose, then you must collect ONLY that personal
data. (No hoovering)).
3. Use Limitation. (After 1 & 2, you can only use it for THAT purpose. If you want to use it for a
different purpose, you must go back to 1).
4. Data quality (Integrity). (The idea that the data is accurate and complete, and retain its accuracy
and completeness overtime).
5. Security. (The floor for data security).
o If you are going to hold personal data, whether it’s in a file drawer or automatized
system, you must provide sufficient security to protect that data. In all data protection
legislation (not in the US really), you will see — all the way at the bottom — a FIPs
6. No Secret Dossiers. (Dossiers that you do not know about. Should not be able to collect
information about you that you do not know about).
7. R + to see file + Correct errors
o And individual should have the right to view the information held of them,
o And you should be able to see the files held on them
o And you should be able to rectify the files
8. Accountability. ("A door to knock on")
o There should be a party or entity or person who is responsible for that personal
information they are holding about you — there is a door to go knock on. This is the Data
Protection Authority:
 An office that oversees and administer the data protection law.
 There is a data protection commission, and their job is to enforce the data
protection law
 Their budgets are separate to insulate them from government influence

General Data Protection Regulation (GDPR)

Big Deal: Government finally makes a domestic (relative) statute that applies to and affects others outside
its own JX.
Adverse arguments:
 It is hampering the market for business and the ability to make transactions
 If you are a smaller company, it is much harder for you to comply with GDPR as opposed to big
companies who can deal with the penalties or have the resources to mitigate the penalties.
 Portability. Something that has not been completely resolved. Problem for any sized business
because businesses were not developing resolutions for these things prior to GDPR.
OECD Privacy Guidelines
Council of Europe Convention 108
Seven Key Principles:
1. Lawfulness, fairness and transparency
o The concept of lawfulness states that all processes you have that in any way relate
personal data of EU citizens must meet the requirements described in the GDPR.
o Fairness means that your actions
must match up with how it was described to data subject.
o A clear notice is what the concept of transparency is about
2. Purpose & Intent of Processing
o Personal data can only be obtained for “specific, explicit and legitimate processing
purposes” the subject has been made aware of and no other, without further consent
3. Data minimization
 o Data collected on a subject should be limited to what is necessary in relation to the
purposes for which it is processed
4. Accuracy & up to Date
o It is not the obligation for the data controller to ensure (to the best of their abilities) that
the information collected is correct and current.
5. Storage limitations
o All personal information must now have an expiration data applied appropriate to its
collected purpose, after which it must cease to be available.
6. Integrity & confidentiality
o Keep data security from external & internal threats
7. Security
o Processors must handle data to ensure appropriate security, including protection against
unlawful processing accidental loss, destruction or damage
Limits of Data Processing: Requirement of a legal basis for the processing of personal data. (fair
collection & use of data)
Right to Rectification and Erasure (“Right to be Forgotten”):
 Right to correct data; right to reassure sets number of grounds to trigger controllers’ obligation to
erase personal data:
o No longer needed for purpose of its collection
o Data subject withdrew consent
Consent: must be Unambiguous/ freely given/ specific/ informed
 Cannot use: silence, tick-box, or inactivity
 Requesting: must be clear and in plain language
 Withdrawal: at any time
 Burden of proof: on company to show consent was given
 Tying: consent is non-transferable. It’s a data subject by data subject issue
Limits on Processing of Sensitive data and Automated Decision-Making:
 Increased protections and/or flat prohibitions for sensitive data (inc. race/ethnic, religion, union,
genetic or biometric, sex life, sexual orientation):
o Automated Decision-Making: “shall have the right no to be subject to a decision based
solely on automated processing . . . which produces legal effects concerning him/her or
similarly affects him/her.”
Consistency Mechanism: European Data Protection Board (EDPB) has the ability to issue non-binding
and binding recommendations
Adequacy Standard: requires “an adequate level of protection” before a transfer of data to non-EU
country.
Monetary Fines: Are to be “effective, proportionate and dissuasive.” (Consider other things also). Pick
greater amount:
 4% of company’s world-wide revenue
 20 million Euros

Safe harbor [agreement] to Privacy Shield:

 Treaty between EU and US to address inadequacy of US data protections. Transplanted EU data
law to US for companies who voluntarily complied to participate in data exchanges.
 5,000 companies participated, but serious questions arose after Edward Snowden leaked
documents showing companies working w/ NSA. (EU did not like that).
EU-US Privacy Shield (upgraded safe harbor): Privacy Shield is a jumble of US & EU data privacy
laws. There are four core principles:
1. Data Integrity and Purpose Limitation:
o Requires companies to pay greater attention to the collection and use of PII from EU
citizens, adding greater protection than available in US law.
2. Choice:
o Opt-in requirements for “sensitive information”; opt-out for other but may not be used for
“incompatible” reasons iii.
3. Enforcement:
o Considerable difference from Safe Harbor. Strong supervision mechanisms “to ensure
that companies follow the tule that they submitted themselves to.” Creation of US
Ombudsperson, independent of security agencies, to review complaints of security
misuse.
4. Oversight:
 o Supervision and enforcement procedures by the FTC and Dept. of Commerce. Annual
joint-review with EU and US officials.
[Art. 3] Territorial Scope: GDPR applies to you, even if you are:
 A business that is incorporated in the EU
 Regardless of whether you process the data in or out of the EU
 Offer goods and services in the EU that are free
 Monitoring the behavior of people in the EU (e.g., website)
o Qualifier: be in the EU.
[Art. 4] Definitions:
 “Personal Data”: any information relating to an identified/able natural person (e.g., IP address)
 “Processing”: operation(s) on personal data — collection, recording, organizing, storing, etc. (i.e.,
literally touching data in any way)
 “Pseudonymizing”: making data anonymous
 “Controller”: company/person/entity collecting data and determining the processing and means of
collecting the personal data
 “Consent”: Needs to be freely given, specific, informed, and unambiguous infromation (i.e.,
statement or clear affirmative action)
[Art. 5] Baseline Rules of Processing Data:
 Data minimization, the idea that you only collect needed data to fulfill your purpose and use as
little of the data as can be
 The FIPs are found here too
[Art. 6] Lawfulness of Processing: Grounds for lawful processing. Must have:
 Need
 Consent (not used a lot)
o Child is 16 >
o Cany go under 13. Think 14.
 Existing K
 Legal obligation (bank)
 Vital Interest
 Public health/safety measure
 Legitimate interest
[Art. 7] Consent
 Individual can withdraw consent at any time
 Spells out the rights of the individuals
 Transparent infromation (clear and conspicuous)
[Art. 9] Off the table infromation
 Prohibition does not apply if consent is given or specific requirements for employment
[Art. 11] Totally anonymous
 Information that is completely anonymous if off is not covered
 If its in the processing of being decrypted or encrypted, then it is covered
Chapter 3:
 The idea behind the FIPs
 You can check what companies have on file for you (proactive not reactive)
 Individual may choose to terminate all or selected files
[Art. 13–17, 20–22]
 Offer the identity of the Controller (and contact infromation). Reason for collecting, how long
it’s been collecting, DM
 Give name of controller for contact purposes
  Right to rectification (16)
 Right to erasure (17). Also think of as right to be forgotten
 Right to data portability (20
 Right to object (21). Say you don’t want your data processed
 Auto decision making
Chapter 4: Obligation on the Controller and Processor (can be same entity)
 Art. 25: entities must take into account PbD when setting up data principles
 Art. 30: raising standard for holding data
 Art. 31: If controller request corroboration from co., the co. must comply
 Art. 32: Security of processing. Consider amount of data, why collecting, rights of people, take
precautions always
 Art. 33: Data breaches. If breach involves PI, controller must notify supervising authority within
72 hours (does not have to be confirmed)
 Art. 34: communicate to individuals their data has been breached
 Art. 35: DPIA
 Art. 40: Data Privacy Officer (DPO)
 Art. 44: for data to be transferred to other countries, must have adequate data protection then
submit a request to the EU for review
 Art. 51: Every country must choose a Data Protection Authority
 Art. 68: what creates EDPB
 Art. 77: Penalty for breach or non-compliance is either 4% of global revenue or 20 million Euros
— select the greater amount.
 Art. 78: Right to judicial remedy/ against controller or processor. If there’s an infringement, can
tell them to cease operation until rectified

First, determine whether a breach has occurred. Does the information fall within the
definition of “breach” and has a “breach” occurred?
 Encryption
 Unauthorized Access
 disclosure
 Further disclosure
 Use of information after hours

Second, contain and analyze the incident. Subsequent to containment (notify the right
people, system audit, contact actual recipient), carefully analyze the information and log
it.

Third, notify the affected parties. This may also include government authorities if the JX
requires it. Aas well, a number of states have notification letter content requirements.
Also include how to mitigate the harm.

Fourth, organizations should implement effective follow-up methods. May include

training, internal self-assessments, and third-party audits where needed. Need analyze
breach and response plan as well deficiencies.