As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case. While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation. More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018. As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance. Continue Reading
On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top consumer complaints to the FTC, and has been an enforcement priority for the FTC’s Bureau of Consumer Protection.
Just before the Thanksgiving holiday, the Federal Trade Commission (“FTC”) announced the issuance of consent orders involving Creaxion Corporation and Inside Publications, LLC to settle allegations that the companies misrepresented paid endorsements as independent opinions, and misrepresented paid commercial advertising as independent editorial content. As a result, these companies and their principals are now prohibited from making misrepresentations about the status of their endorsers, required to clearly and conspicuously disclose material connections with such endorsers, and are required to monitor their endorsers.
Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”). Since the entry into force of the GDPR, three German courts have been asked to decide whether an infringement of the GDPR can similarly serve as a basis for such claims. While the first two decisions were issued by courts of first instance, the third and most recent decision was decided by the High Court of Hamburg.
Finally, in the most recent decision of October 25, 2018 (available here), the High Court of Hamburg was asked by a pharma company to grant injunctive relief against a competing pharma company because it erroneously relied on a provision of the old German Data Protection Act allowing for the processing of health data for health care and medical diagnosis. According to the court, that provision did not apply to the pharma company, which should have obtained the patients’ consent similar to its competitors. However, the court held that to determine whether an infringement of a data protection provision could serve as the ground for an anti-competition claim, the provision allegedly infringed must be assessed on a case-by-case basis looking at its “market behavior regulating character”. In this case, the norm that requires the company to obtain consent does not have a “market behavior regulating character” and therefore the claim was rejected.
The above judgments show that, at this moment, the question of whether a GDPR violation can serve as the basis for anti-competition claims remains unsettled in Germany. In an attempt to resolve this issue, the German Region of Bavaria proposed a bill before the German Federal Parliament in June 2018 (available here), which excludes data protection provisions from the scope of the UWG. If adopted, violations of data protection law could no longer serve as a basis to bring claims against competitors under the UWG.
On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of the consultation period on January 18, 2019, the EDPB will issue a final version incorporating any changes or amendments made on the basis of comments received from stakeholders. Parties may submit comments to the EDPB by sending an email to: EDPB@edpb.europa.eu.
The Guidelines are divided into four sections. The first three give interpretive analysis on Articles 3(1), 3(2) and 3(3) of the GDPR, respectively. The final section provides additional clarification about the possible duty to appoint a representative within the EU for controllers and processors not established in the EU. The Guidelines analyze specific provisions of the GDPR, make reference to existing EU case law, and offer practical examples that illustrate how to apply the provisions of Article 3 in everyday situations.
With regards to Article (3)1, the EDPB examines the broad concept of an “establishment” under EU law, and specifically its application to personal data processing which may take place “in the context of the activities” of an establishment. The EDPB points to landmark cases such as Google Spain and Weltimmo to show how these concepts have been applied by EU courts. The EDPB also notes that this broad notion of an “establishment” is not unlimited and recommends a case-by-case analysis.
With regards to Article 3(2) – which is perhaps the most controversial of the GDPR, potentially triggering its extraterritorial application to parties with no EU establishment – the EDPB provides some helpful clarifications. The Guidelines emphasize the importance of considering (i) whether targeted data subjects are in the EU (regardless of nationality, residency or legal status), and (ii) whether the processing relates to offering them goods/services or monitoring them in the EU.
“Targeting” by offering goods and services. The EDPB emphasizes that a controller or processor with no establishment in the EU must show a clear intention of doing business with EU customers to be considered “targeting” individuals in the EU with goods or services. Again, this requires a case-by-case analysis involving a range of different factors (e.g., whether the EU or a specific Member State is mentioned on a website, whether search engines are paid to market to a specific EU country audience, or the use of EU-specific languages or currencies).
“Targeting” by monitoring behavior. A controller or processor is “targeting” individuals in the EU by monitoring their behavior if the monitored behavior (i) relates to an individual in the EU and (ii) takes place in the EU. Once again, the EDPB offers several criteria to consider when making this determination (e.g., behavioral advertising, geo-localization activities, online tracking using cookies, CCTV, and so forth) . However, the EDPB does not hold that all online collection or analysis of personal data of individuals in the EU counts as “monitoring”. Rather, it is necessary to consider the controller’s purpose in processing the data, and particularly any behavioral analysis or profiling techniques used.
Finally, in the last section of the Guidelines, the EDPB clarifies certain issues related to the appointment of a representative in the EU by non-EU controllers and processors subject to the GDPR. The Guidelines discuss, among other things, the need to have a contract in place with the representative, the fact that the role is incompatible with that of a Data Protection Officer (and thus the two should not be combined), and, furthermore, that the GDPR may be enforced against a non-EU controller by way of its EU representative.
A recent press release from November 16, 2018 revealed that Malta’s Justice Minister introduced the right to be forgotten through a ministerial decree. Since 2013, 86 out of 131 judgments have either been anonymized or removed from the courts’ public database. The information came as a surprise to Malta’s legal community, as there had been no public announcement regarding the new right. The exact date the new right was introduced has not been confirmed.
In early November, the Dutch Supervisory Authority released an injunction imposed against the public insurance body Uitvoeringsinstituut Werkgeversverzekering (“UWV”) last July.
The UWV allows employers to submit data about their employees for social security purposes. The data includes dates of employee absences due to general illness (and when an employee is pregnant or gave birth, including dates of associated absences and parental leave). While the actual illness is not disclosed, the Supervisory Authority held that the data must be qualified as health data because the mere fact that someone is ill is indicative of their health.
In addition, the Supervisory Authority holds that the UWV violated the security standard of the GDPR by only applying one-factor authentication (e-mail address and password) on its portal. According to the Authority, state-of-the-art security for a platform with this level of risk requires multi-factor authentication. The Authority relies on Dutch guidelines for public authorities offering digital services and the Dutch NEN-7510 security standard for the health sector.
The UWV was ordered to conduct a new privacy impact assessment by October 1, 2018, and to implement appropriate security by October 31, 2019, with a penalty of €150,000 for each month delay (with a maximum of €900,000). The long transition period for improving its security is explained by delays in the roll-out of a standardized authentication tool for public bodies.
On November 20, 2018, the Illinois Supreme Court heard oral arguments in Rosenbach v. Six Flags Entertainment Corporation et al., a case arising under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). BIPA provides a private right of action for persons “aggrieved by a violation of [the] Act.” The crux of the issue presented to the Illinois Supreme Court is the meaning of “aggrieved by” under BIPA–in other words, what harm is sufficient to satisfy statutory standing requirements underlying BIPA’s private right of action?
Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation. Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform NTIA of what such a federal privacy bill should look like.
On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.
Vectaury is an advertising network that buys online advertising space on behalf of its customers (advertisers). The company also offers a software tool that advertisers can integrate into their apps to collect geolocation data and information on the device and browser of users. The company analyses this data, compares it with certain geographic points of interest (e.g., physical stores) and creates profiles of users’ habits. Based on these profiles, the company organizes targeted advertising campaigns on behalf of advertisers. It also tracks users while they are in the physical stores of the advertisers in order to assess the effectiveness of advertising campaigns.
The consent mechanism offered by the apps provided a short notice explaining that the application collects the users’ browser history and geographic location for the purpose of targeted marketing. It offered users three options: to accept, to refuse or to customize their preferences. According to the CNIL, the consent collected through the tool does not comply with three of the GDPR requirements for consent.
- First, the CNIL found that the consent was not informed because the information provided was unclear, used complex terms, and was not easily accessible (particularly the list of the third-party entities receiving the data).
- Second, the consent obtained at the time of the installation of the application was not sufficiently specific because it only gave users the option to consent or to refuse. Users were not asked to specifically consent to the processing of their geolocation data for targeted marketing purposes.
- Third, the CNIL pointed out that the consent obtained through the tool was not based on an affirmative action. Users selecting “customize my preferences” were directed to a separate pop-up with pre-checked options.
During the CNIL’s investigation, Vectaury implemented the “Consent Management Platform” tool developed by the Interactive Advertising Bureau. However, the CNIL found that the information provided and consent obtained by this tool also did not meet the requirements for consent set out by the GDPR.
This is yet another enforcement action by the CNIL against an online marketing company, and the high standard applied by the CNIL is something to be reckoned with. Although Vectaury had a consent experience in place, allowed users to refuse to give their consent, and even provided granular preferences to the user, this was still not enough. Interestingly, as on previous occasions, the CNIL does not seem to have investigated the advertisers who have incorporated these tools in their apps.