Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

UK Supreme Court Will Hear Google’s Appeal in Important Privacy Case

Posted in Advertising & Marketing, European Union, United Kingdom

The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors [2015] EWCA Civ 311.

Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking practices) and the significant consequences of the ruling for organizations handling personal data in or from the UK.  In short, the Court of Appeal held that:

  • English law recognizes misuse of private information as a free-standing tortious cause of action (so litigants can seek injunctions and compensation even against foreign defendants, not just in the UK); and
  • Section 13(2) of the Data Protection Act 1998, which hitherto had prevented claims for “distress” (i.e. moral damages) in the absence of pecuniary (i.e. financial) damage, was invalid on two grounds:

Although Google appealed on all counts, the UK Supreme Court granted permission to appeal only in relation to the invalidity of Section 13(2) of the Data Protection Act.  In doing so, it tacitly upheld the view that misuse of private information is indeed tortious in nature, thus allowing the claim in tort to proceed against Google, regardless of the eventual outcome of Google’s appeal on Section 13(2).

For now, that section of the Data Protection Act remains dis-applied, so unless and until the UK Supreme Court reverses the Court of Appeal’s decision, litigants will remain able to demand compensation for mere distress due to breaches of the Act.

Fiat-Chrysler Recalls 1.4 Million Vehicles In Response to Security Vulnerability

Posted in Data Security

Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices.  The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to remotely access a Jeep Cherokee, including attacks that disabled the car’s brakes and transmission.  While Fiat Chrysler’s statement on the recall emphasized that it was not aware of any incidents where the vulnerability had been exploited, the recall demonstrates the increasing attention being paid to security vulnerabilities discovered in connected devices.  The same day that the Wired article was published, Sens. Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) introduced legislation aimed at establishing federal standards for cybersecurity of connected cars and privacy of drivers’ information.

According to the Wired article, many of Fiat Chrysler’s vehicle models – including the Jeep Cherokee – use Uconnect, an Internet-connected computer feature, to offer entertainment, navigation, and communication features.  The Wired article described a method by which security researchers were able to use Sprint’s cellular network, the same network used by the Uconnect feature, to wirelessly access any vulnerable vehicle nationwide through its Uconnect system.  Once the researchers accessed a vehicle, they could access the car’s internal computer network and control certain physical components of the car, such as its engine and wheels.  According to the article, the researchers notified Fiat Chrysler of the vulnerability nine months ago, and Fiat Chrysler responded by releasing a software patch that could be manually implemented via a USB stick or a dealership mechanic.  Following the article’s release, Fiat Chrysler initiated a full safety recall of multiple affected vehicle models, mailing a USB containing the patch to each vehicle’s owner that the owner could plug into a port in the vehicle to implement the fix.  The automaker has also worked with Sprint to block the methods used by the researchers to find and access vehicles wirelessly using Sprint’s network.

Last week, Sens. Ed Markey and Richard Blumenthal also introduced the SPY Car Act, designed to protect drivers from the security and privacy risks inherent in the increased use of connected cars.  According to the copy of the bill released by Sen. Markey, the bill would require NHTSA, in consultation with the FTC, to develop performance standards to prevent hacking of vehicles’ control systems.  These standards, which would take effect within 2 years after the final regulations are prescribed, would require manufacturers to use “reasonable measures” to protect all access points to the car, including isolation of critical software systems and evaluation using penetration testing.  Manufacturers would also have to secure all collected information against unauthorized access, both at rest and in transit, and equip vehicles with “capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”  In addition to these hacking protections, the bill would also require the FTC, in consultation with NHTSA, to develop privacy standards to govern the collection of data by vehicles, including increased transparency and choice for drivers and a prohibition on the use of such data for marketing purposes without express consent.  Finally, the bill would also require NHTSA and the FTC to develop a “cyber dashboard” that would allow potential purchasers of new vehicles to easily evaluate how well each vehicle protects owners’ security and privacy.

Pocket Dials Are Not Private, Sixth Circuit Says

Posted in Litigation

A person who makes an accidental “pocket dialed” call has no reasonable expectation of privacy in the conversations exposed to the person who picks up that call, the Sixth Circuit ruled last week.  The court compared this situation to a homeowner that mistakenly fails to cover his windows, exposing his actions to public view.  In that situation, the homeowner would not have an expectation of privacy and the court reasoned that the maker of a pocket dialed call should not, either.

Continue Reading

Progress on EU GDPR Reform: International Aspects Debated

Posted in European Union

A second round of “trilogue” negotiation on the EU General Data Protection Regulation (GDPR), on July 14th, has addressed the law’s territorial scope and rules relating to international data transfers (Articles 3 and Chapter 5, respectively).

Although no agreed text has been released, public comments made by Jan Philipp Albrecht, the European Parliament’s lead negotiator on the GDPR, indicate that agreement has been reached “in principle” on most of the provisions discussed. (For a video of his comments, please see here, from 3:10:00 to 3:20:00.)  However, some issues remain to be resolved, and it is expected they will be addressed when negotiations resume in September.

Continue Reading

Data Breach Plaintiffs Allege Enough Risk of Harm for Suit to Proceed, Appeals Court Rules

Posted in Data Breaches, Data Security, Litigation, United States

Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems may proceed with their proposed class action lawsuit against the retailer, a federal appeals court ruled Monday.

Neiman Marcus discovered in December 2013 that some of its customers had found fraudulent charges on their credit cards, and after an investigation the retailer disclosed in early January 2014 that a data breach had exposed about 350,000 credit cards, of which 9,200 were known to have been used fraudulently.  The plaintiffs sued Neiman Marcus, alleging — among other claims — that the company was negligent, breached its implied contract with customers, engaged in unfair and deceptive business practices, and violated state data breach laws.

Monday’s ruling comes at a preliminary stage of the case and addressed only whether the plaintiffs’ allegations, if proved, would meet the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.” The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury.  The Supreme Court emphasized in a 2013 ruling, Clapper v. Amnesty International USA, that plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” a standard plaintiffs in other data breach cases have struggled to meet. Continue Reading

Ten Key Takeaways From Last Week’s TCPA Order

Posted in Federal Communications Commission

Last week, the Federal Communications Commission (FCC) released the text of its long-awaited order addressing certain aspects of the Telephone Consumer Protection Act (TCPA) and related FCC rules.  The order addressed a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.

Although the order purports only to “clarify” existing FCC precedent, there is widespread debate over whether the order imposed new requirements on entities that transmit automated calls and text messages.  The order already has been appealed by one party and other appeals are expected.  Nevertheless, because the FCC claims the order only clarifies existing precedent, its provisions became effective when the order was released on February 10, 2015.

The order focuses on ten key areas, which are summarized after the jump. Continue Reading

China Releases Draft of New Network Security Law: Implications for Data Privacy & Security

Posted in Uncategorized

On July 6, 2015, China’s National People’s Congress (NPC) released a draft of the Network Security Law  (“Draft Law,” referred to in some press articles as the draft Cybersecurity Law) for public comment.  Comments can be submitted through the NPC website or by mail before August 5, 2015. The release of the Draft Law follows closely on the heels of the new National Security Law that was enacted last week (see Covington blog post here).

This Draft Law, initially reviewed by the NPC in June, would apply broadly to entities or individuals that construct, operate, maintain, and use networks within the territory of China, as well as those who are responsible for supervising and managing network security. A number of the provisions in this Draft Law, if enacted in their current form, are likely to significantly impact information and communications technology (“ICT”) and other companies with business operations or interests in China.

Those that most merit the close attention of companies are those that relate to (1) the “secure” operations of networks and “critical information infrastructure,” and (2) data protection. This post focuses on the latter. Continue Reading

Carriers Agree to $3.5 Million FCC Fine For Alleged Privacy Violations

Posted in Data Security, Federal Communications Commission, United States

In a consent decree adopted yesterday by the Federal Communications Commission, two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — agreed to pay a $3.5 million civil penalty and adhere to a three-year compliance program to settle allegations that the carriers violated the federal Communications Act by failing to adequately protect “proprietary information” the carriers collected from consumers applying for federally subsidized phone service under the Lifeline program.  The consent decree reiterates the FCC’s interpretation of Sections 201 and 222 of the federal Communications Act — first articulated in a October 2014 decision proposing to fine TerraCom and YourTel $10 million — broadening telecommunications carriers’ privacy and data security obligations.  The consent decree also settles allegations that YourTel failed to de-enroll certain subscribers after being instructed to do so by the Universal Service Administrative Company, which administers Lifeline. Continue Reading

Privacy Weekend: Provocative Articles We’re Reading Now

Posted in Privacy Weekend

As readers of the InsidePrivacy blog know, we often save some fun reading on privacy issues for the weekend, given the crush of business during the week. This week, we’re up for some digital magazine reading. It’s refreshing when privacy issues burst into the mainstream consciousness, and we have two great examples of that this week — robotics in Foreign Affairs, and the Internet of Things in Politico.

Continue Reading

Senate Panel Debates Law Enforcement Access to Encrypted Communications

Posted in Cybersecurity

The Senate Judiciary Committee today held a hearing about the increased challenges that encryption poses for law enforcement. Government officials testified that advances in encryption technology make it more difficult for them to monitor communications, but there was little indication that lawmakers are prepared to require technology providers to ensure that law enforcement has backdoor access to encrypted communications and data.

Committee Chairman Charles Grassley, R-Iowa, said that the hearing is the first step in a conversation about the problem, and he hopes to see whether “any consensus is possible on this very important issue.”

Continue Reading