US: Protection of Personal Information

HHS Announces Record HIPAA Settlement

New York-Presbyterian Hospital (NYP) and Columbia University have agreed to pay a combined $4.8 million – the largest HIPAA settlement ever involving a single incident – to settle charges that they violated the HIPAA Privacy and Security Rules by accidentally making the electronic protected health information of their patients accessible to Internet search engines.  The Department of Health and Human Services’ Office for Civil Rights (OCR) launched its investigations after the entities – which operate a shared data network and firewall – notified it of the breach.  As part of the settlement, NYP will pay $3.3 million, and Columbia will pay $1.5 million. The entities also agreed to undertake risk analyses, develop risk management plans, revise their existing policies and procedures, and provide training on privacy and security awareness. 

(c) Steptoe & Johnson LLP

EU: Search engine results to be removed where they affect privacy rights

ECJ confirms right to have search engine results removed where they affect privacy rights

The ECJ has ruled on three questions concerning the interpretation of the Data Protection Directive (1995/46/EC) with regard to the data processing activities of search engine providers, their status as data controllers and the existence and scope of a right to be forgotten, in a reference from a Spanish court. The proceedings had been brought by a Spanish citizen, who had asked that Google remove from the list of search results based on his name links to two announcements in a Spanish newspaper from 1998. The announcements concerned a real-estate auction connected with attachment proceedings prompted by the applicant's social security debts. The ECJ held that a search engine provider is the data controller in respect of the locating, indexing, storing and making available of information accessible on the internet, and that the applicant has a right to rectification, erasure or blocking of that information, and a right to object to the processing of the information in certain circumstances.

The ECJ made it clear that while the search engine's commercial interests in processing the information will not, as a rule, override the data subject's rights to privacy and data protection, a balancing of the data subject's fundamental rights and the interests of other internet users in accessing that information must be carried out. The interest in the continued accessibility of personal information may override the data subject's interest in cases where the data subject plays a prominent role in public life and the accessibility of the information is in the public interest. The ECJ further clarified that the data subject's right to request removal of the relevant links may also apply if the information is true and where its original publication was lawful. This is particularly the case where the information has since become inadequate, irrelevant or excessive.

The ECJ's decision has sent shock waves not only through the online industry but also through the loose collection of groups concerned with the protection of digital rights. While the strengthening of the EU's right to apply its data protection framework to non-EU data controllers in certain circumstances is broadly welcomed (within the EU, if not in the US, where many of the largest, most popular search engines are based), the importance that the court has afforded to the data subject's right to privacy, compared to the right of individuals to access to information, has led to accusations that the decision legitimises individual reputation management, the falsification of historical records and ultimately, censorship. (Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, 13 May 2014.)

© 2014 Thomson Reuters. All rights reserved