Eleventh Circuit Hands Another VPPA Loss to Video App Plaintiffs

In Perry v. Cable News Network, the Eleventh Circuit dealt another loss to putative class-action plaintiffs seeking to use the Video Privacy Protection Act (“VPPA”) as a weapon against free online video services. The court affirmed that to be a “subscriber” of a video service—someone who can sue under the VPPA—one must have a genuine commitment, relationship, or association with that service. Because the Perry plaintiff could not show that, he lost.

The VPPA creates a cause of action for video service providers that disclose their consumers’ personally identifiable information alongside their viewing information. The typical Internet example is a paid video service that gives an advertiser a paying subscriber’s email address and viewing history.

To sue under the VPPA, a person must be a “consumer.” The VPPA defines that term as meaning a renter, purchaser, or subscriber of goods or services from a video service provider. “Subscriber” has raised the question of whether someone who downloads and uses a free app can be a “consumer” who can sue under the VPPA. At least in the Eleventh Circuit, Ellis v. Cartoon Network, Inc. answered that question: something more than mere use is needed. Instead, Ellis held that a proper VPPA plaintiff needs “some type of commitment, relationship, or association (financial or otherwise)” between the plaintiff and the video service provider.

In Perry, the district court relied on Ellis to dismiss plaintiff Perry’s suit without leave to amend because he was merely a user of CNN’s free app. Perry argued he could state a VPPA claim because he subscribed to CNN’s television channel through his cable package. This cable subscription let Perry access exclusive content via the CNN app. Perry said this made him a CNN app subscriber. He also said he paid CNN indirectly through his cable subscription. Perry appealed to the Eleventh Circuit on those theories. Continue Reading

FCC Chairman Pai Proposes New Regulatory Framework for Broadband ISPs, Seeks Comment on Net Neutrality Rules

By Matt DelNero and David Bender

In a widely anticipated step, FCC Chairman Ajit Pai has released a draft Notice of Proposed Rulemaking (“NPRM”) on the legal framework that governs broadband providers and related net neutrality questions.

Most notably from a privacy perspective, the draft NPRM proposes to find that broadband Internet access service is an “information service” under the Communication Act, reversing the 2015 “telecommunications service” classification that had brought broadband providers under the statutory privacy requirements of Title II of that Act.

The draft NPRM states that the 2015 reclassification “stripped FTC authority over Internet service providers,” in light of the common carrier exemption in Section 5 of the FTC Act.  By reversing the FCC’s prior finding that broadband is a common carrier service, the draft NPRM proposes to “return jurisdiction over Internet service providers’ privacy practices to the FTC, with its decades of experience and expertise in this area.” Continue Reading

Federal Trade Commission Plans to Clarify its Data Security Standard

The Federal Trade Commission (FTC) has announced that it is launching a new initiative to improve data security guidance and transparency as part of a broader plan to implement process reform initiatives.  In an interview with Politico Pro (subscription required) last week, the new acting director of the FTC’s Bureau of Consumer Protection, Thomas Pahl, discussed the FTC’s goal of supplementing existing data security recommendations with best practices and concepts drawn from recently closed investigations.

Under the FTC’s current standard, companies are advised to employ “reasonable” data security measures based on, among other things, the nature of their business and the sensitivity of the information involved.  Pahl noted that companies would benefit from up-to-date information that describes the types of safeguards that the FTC considers “reasonable.”  To that end, the FTC is analyzing previously closed investigations and comparing findings to cases that triggered enforcement actions so it can share best practices.

It is unclear whether the FTC will release improved data security guidance separately or as an add-on to its existing “Start with Security: A Guide for Business” publication.  Pahl also indicated that additional and clearer guidance would likely encourage interested companies to comply with data security standards, but that the FTC will continue to bring enforcement actions where appropriate.

Advocacy Groups Urge FCC to End Data Retention Mandate

On April 24th, the Electronic Privacy Information Center (“EPIC”) and a coalition of 37 other civil society groups sent a letter urging the Federal Communications Commission (“FCC”) to act on an August 2015 petition to repeal the FCC’s data retention mandate under 47 C.F.R. §42.6 (“Retention of Telephone Toll Records”).

The mandate requires communications carriers that “offer[] or bill[] toll telephone service” to retain the following customer billing records for a period of 18 months: (1) the “name, address, and telephone number of the caller,” (2) the “telephone number called,” and (3) the “date, time, and length of the call.”  Carriers are required to retain such information regardless of whether they are billing their own toll service customers or billing customers for another carrier. Continue Reading

Developments in the Right to Be Forgotten

As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR.

European Developments

In the EU, we previously reported on a Court of Justice of the EU (“CJEU”) decision that limits the right to be forgotten with respect to public records.  And in February, A French high administrative court raised several questions to the CJEU relating to the right to be forgotten in light of the Google v. Costeja Gonzalez decision.  The questions address whether and in what circumstances search engines must delist links to websites in response to requests from data subjects, and arose in the context of a pending dispute between Google and CNIL, the French data protection authority.

A decision by a Circuit Court in Ireland recognized the right of a former election candidate to request the removal of information posted about him on Reddit under the right to be forgotten.  And the UK recently solicited views on its own implementation of the GDPR, including input regarding the interplay between the right to be forgotten and freedom of expression in the media. Continue Reading

UK Starts 3-Week Consultation on GDPR Implementation

On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level.  The consultation deadline is May 10th, at mid-day UK time.

Although the GDPR was an effort to bring greater harmonization to data protection regimes throughout the EU, it nevertheless contains a number of areas in which national laws can deviate from its default position – for instance to permit researchers to store and use health data without having to repeatedly seek consents, or to ensure that freedom of expression is not unfairly curtailed by the “right to be forgotten.” Continue Reading

New Mexico Becomes 48th State with Data Breach Notification Law; Tennessee Restores Exemption for Encrypted Data

Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach.  New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws.  Tennessee’s bill, S.B. 547, amended its Identity Theft Deterrence Act of 1999 to exempt certain encrypted data from triggering notification requirements.

Continue Reading

Irish Data Protection Commissioner Releases 2016 Annual Report

By Denitsa Marinova

On April 11, 2017, the Data Protection Commissioner of Ireland (DPC) published her annual report for 2016, highlighting key developments and activities for the past year and outlining priorities for 2017 and beyond.  The report will be of interest to Irish entities and multinational organizations with a base in Ireland, including companies active in the technology and healthcare sectors.

In 2016, the DPC investigated a record number of complaints (1,479 in total, the majority involving data access requests); received 2,224 notifications of valid data security breaches (a decrease from 2015); carried out over 50 privacy audits and inspections; acted as lead reviewer in seven Binding Corporate Rules (BCR) applications; and held over 100 face-to-face meetings with multinational companies. Continue Reading

China Seeks Public Comments on Draft Regulation on Cross-Border Data Transfer

On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here).  The comment period ends on May 11, 2017.

The issuance of the long-anticipated Draft Measures is another critical step toward implementing China’s Cybersecurity Law (“the Law”), which is set to take effect on June 1, 2017 (see our alert on the Law here).  Importantly, the Draft Measures, if enacted in its current form, would mandate all “network operators” to self-assess the security of their cross-border data transfers and significantly broaden the scope of entities that potentially need to undergo security assessments for such transfers by the Chinese government.  Companies that fall into the scope of “network operators,” but may not qualify for “operators of Critical Information Infrastructure” (“CII”), could see their cross-border data transfers regulated under the Draft Measures.   Continue Reading

Broad Minnesota Warrant Seeks Data on All Users Who Googled Fraud Victim

A Minnesota state court on February 1, 2017, issued an unusually broad search warrant directed to Google in connection with a wire fraud case.  The warrant seeks a broad set of data about all users who searched on Google for a specific person between December 1, 2016 and January 7, 2017.  The warrant became public after a researcher published an article discussing the warrant application and judge’s order.

Continue Reading

LexBlog