European Commission Refreshes Standard Contractual Clauses
The European Commission ("EC") has long sought to improve data privacy for Europeans, even when they interact with global or non-European companies. Laws like the General Data Protection Regulation (or “GDPR”) seek to control how even U.S. companies, for example, use data from European citizens. To comply with the GDPR, U.S. companies doing business in Europe are required to use standard contract clauses, or “SCCs” in their agreements governing use of EU citizens’ data.
Under U.S. Law, Freedom of Speech Trumps any Right to be Forgotten
While the "right to be forgotten" is part of European law, it is at odds with U.S. precedent. See, e.g., Garcia v. Google, Inc., 786 F.3d 733, 745-46 (9th Cir. 2015). A Georgia law allowing the father of a deceased rape victim to sue a television station for publicizing the victim’s name unconstitutionally violated the First Amendment. Cox Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975). And in 2004, the California Supreme Court cleared corporations of any wrongdoing when publishing any information from official public records. Gates v. Discovery Communications, Inc., 34 Cal. 4th 679, 685 (2004). In the United States, the First Amendment wins.
Class Action Against Google Over COVID-19 Contact Tracking App Highlights New Layers of Data Privacy Consideration
On April 27, 2021, a class action lawsuit was filed against Google, Inc. ("Google") alleging that the Google-Apple Exposure Notification System, ("Gaen") - the company’s COVID-19 contact tracking app – contained a flaw that may allow third parties to access user medical information. Google had promised users of GAEN that their medical information would be held in the utmost privacy. The company explained that “the list of people you’ve been in contact with doesn’t leave your phone unless you choose to share it,” implying the data was safe from unauthorized third-party access. Further, Google promised that data collected was all anonymized such that even if third parties could access the data, the information could not be linked to a particular individual.
The State Of Health Data For Vulnerable Populations, Why Cybercriminals Target Children, The Elderly, and the Dead
As of 2021, more than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. While credit cards and social security numbers are perennial favorites, cybercrime has begun to favor the theft of electronic medical records (EMR) as sources of revenue. With banks and major financial institutions starting to wise up and tighten their electronic security, cybercriminals have begun to target vulnerable healthcare institutions with a particular focus on the records of children, elderly people, and the deceased.
Judge Allows Facebook to Settle Facial Scanning Suit for $650 Million
On February 26, 2021, Judge James Donato of the U.S. District Court for the Northern District of California granted final approval of a proposed $650 million settlement in a biometric privacy class action lawsuit brought against Facebook. In re Facebook Biometric Information Privacy Litigation, Case No. 3:15-cv-03747-JD, Dkt. No. 537 (N.D. Cal. Feb. 26, 2021). The long-running litigation began in 2015, when class members alleged that Facebook collected and stored digital scans of their faces without prior notice or consent in violation of Sections 15(a) and 15(b) of the Illinois Biometric Information Privacy Act (“BIPA” or “the Act”), 740 Ill. Comp. Stat. 14/1 et seq. (2008).
Foreign Privacy Laws Do Not Block US Discovery
Defendants in US civil suits have sought to withhold discoverable material because of privacy concerns based on foreign laws, such as the GDPR. Almost all cases on the issue of US discovery and transnational privacy statutes have found that such concerns do not override parties’ obligation to comply with discovery requests.
Comprehensive, Round Two: Virginia Passes the Second General Data Privacy Law
Virginia just became the second state to pass a comprehensive privacy law, the Consumer Data Protection Act ("CDPA"). Business and privacy professionals should evaluate the ramifications: what does it require, who does it apply to, and what are the penalties?
Measuring the Reach of GDPR, How Far Is Far Enough?
It's generally recognized that the General Data Protection Regulation (GDPR) can apply to entities outside the European Union. However, scant court rulings guide non-European controllers and processors on this question. The English High Court’s recent decision in Soriano v. Forensic News LLC and others (2021) helps fill the gap.
California Court Determines the CCPA Does Not Restrict Discovery in Civil Litigation
A recent legal decision held that privacy guarantees in the California Consumer Privacy Act ("CCPA") do not prevent discovery in civil litigation. In Will Kaupelis v. Harbor Freight Tools USA, Inc., the Central District of California concluded the CCPA does not limit the scope of discovery in civil litigation because it does not restrict the ability to comply with the Federal Rules of Civil Procedure. Case 8:19-cv-01203-JVS-DFM, Dkt, No. 158 (C.D. Cal Jan. 22, 2021).
FTC Settlement With Fertility-Tracking App May Have Costly Ramifications for Companies Who Use Third-Party Data Analytics Software
On January 13, 2021, the FTC announced that fertility app developer Flo Health, Inc. ("Flo") agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers, including Facebook and Google. The FTC originally filed the complaint against Flo after 2019 media reports alleged that the app used by more than 100 million consumers had shared customer information despite representations that Flo would keep such information private.
EU and UK Announce Interim Plans for Post-Brexit Data Flow
Following its "Brexit" from the EU on January 31, 2020, the UK had until December 31, 2020 to bring its data privacy laws into compliance with the General Data Protection Regulation (“GDPR”). As of January 1, 2021, the UK is a “third country” under the GDPR. However, on December 24, 2020, the EU and UK entered into the EU-UK Trade and Cooperation Agreement.
Institutions Propose Digital Health Passports During the COVID-19 Pandemic
As countries around the world begin administering COVID-19 vaccines, many institutions, both governmental and private, are considering the possibility of requiring proof of COVID-19 status to travel, work, and attend live-audience events. The International Air Transport Association (IATA), is one of many organizations developing a smartphone app that will allow travelers to display their COVID-19 status in airports. In the UK, VST Enterprises Limited has developed a similar app for sports attendance. These “digital health passports” may help society return to normal, but they also raise privacy concerns.
EU Recommendations Require Careful Analysis but Offer Few Clear Rules
In July 2020 the Court of Justice the European Union's (CJEU) Schrems II decision declared the EU-US Privacy Shield Protections inadequate for the protection of European data. On November 10, 2020, the European Data Protection Board (EDPB) released “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.” The recommendations provide a framework for data exporters to analyze the protections afforded to European Union residents’ person data and ensure that throughout the data lifecycle data receive the protection demanded by EU privacy law as embodied in the GDPR and other regulations.
Canada Introduces the Consumer Privacy Protection Act
On November 17, 2020, the Canadian House of Commons introduced the Digital Charter Implementation Act, 2020 ("DCIA"), which includes the Consumer Privacy Protection Act (“CPPA”), a privacy focused arm of the legislation. The full text of the Bill can be found here. The CPPA would act as an update and expansion to the pre-existing federal, privacy law.
Data Breach: No Injury-In-Fact, Case Dismissed
It well known that there are, unfortunately, many data breaches that frequently put private citizens' data privacy in jeopardy. States have passed a variety of statutes aimed at addressing this problem in an attempt to provide data breach victims with some form of redress. Nonetheless, even where there has been a data breach, a plaintiff must meet certain requirements in order to have standing to bring a lawsuit in an Article III court. One such requirement, as the case described below illustrates, is that a plaintiff must have sufficiently pleaded injury-in-fact in his or her complaint.
Voters Choose Privacy at the Ballot Box
While most 2020 media election coverage focused on the races for President and control of Congress, privacy also had its day at the ballot box.
Californians Approve Proposition 24 – the California Privacy Rights Act
Following the November 3, 2020 general elections, Californians voted Proposition 24 into law, which will implement the California Privacy Rights Act (“CPRA”).
New York New COVID-19 Testing Mandate Struggles to Balance Traveler Privacy and Public Health
New York state issued a new mandate requiring that all travelers test negative for the COVID-19 virus both before and after coming to the state. The mandate allows travelers to bypass the 14-day quarantine and requires that non-residents, and residents who leave the state for more than 24 hours, to have proof of a negative COVID-19 test within three days of travel, quarantine for three days, and get tested again on the fourth day. If both tests return negative results, the traveler is permitted to move freely in New York. New York residents who travel to another state for 24 hours or less must take a COVID-19 test within four days of arrival. Essential workers and New York residents returning from the neighboring states of New Jersey, Connecticut, Massachusetts and Pennsylvania are exempt from the new requirements.
Amendment to CCPA Harmonizes Data Privacy and Healthcare Information Requirements – Exemptions for de-Identified Patient Information Under AB 713 Address HIPAA and CCPA Standards
An amendment to the California Consumer Privacy Act ("CCPA") was signed in September 2020. The CCPA regulates how large companies treat their customers’ personal information. However, the CCPA and healthcare information regulations, such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) do not always agree. The CCPA targets for-profit companies, so non-profit healthcare systems and hospital networks were not the focus of the law. However, many healthcare entities were still affected because they license data to pharmaceutical and medical device companies. This data is typically provided for research (not marketing) purposes and is therefore “de-identified” (anonymized or otherwise masked to preserve scientific value while preserving individual privacy).
China, The World’s Largest Online Population, Introduces Its First Comprehensive Personal Information Protection Law
The People's Republic of China ("China") has introduced its first comprehensive data privacy law, which will explicitly protect the personal information of its residents. On October 21, 2020, China’s legislative body submitted a draft bill for the Personal Information Protection Law (“PIPL”) that would prohibit businesses and enterprises from misusing the personal information of Chinese residents. Like the European Union’s General Data Protection Regulation (“GDPR”), the PIPL defines personal information broadly to include various types of electronic or otherwise recorded information relating to an identified or identifiable natural person.
Voters Could Revamp the California Consumer Privacy Act With Proposition 24
For the past two years, businesses have been scrambling to comply with the California Consumer Privacy Act ("CCPA") - the first comprehensive data privacy law in the United States with broad extraterritorial reach. This was a difficult task for most businesses because of high compliance costs, the COVID-19 outbreak and resulting government shutdowns, and uncertainty regarding the scope and applicability of the law due to the CCPA’s constant state of flux.