New Jersey District Judge Dismisses All Counts Against Smart TVs

By Jadzia Pierce on October 8, 2018 Posted in Data Privacy

On September 26, 2018, New Jersey federal district judge Madeline Cox Arleo dismissed an eight-count class action complaint in its entirety against three smart TV makers: Samsung, LG, and Sony. The plaintiffs alleged that defendants’ smart TVs continuously monitored and tracked their viewing habits, recorded their voices, and then transmitted that information to defendants’ servers, after which the information was shared with third-party advertisers and content providers. The judge dismissed all counts:

Federal Law Claims: Plaintiffs made two federal law claims: one under the Video Privacy Protection Act (“VPPA”) and one under the Wiretap Act (which is part of the Electronic Communications Privacy Act, or “ECPA”).

VPPA: Under the VPPA, plaintiffs must allege that a Video Tape Service Provider (“VTSP”) “knowingly disclosed” “personally identifiable information” (“PII”) concerning a consumer of such provider. The statute defines “PII” as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider,” and the Third Circuit construes the VPPA as prohibiting “disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.” See In re Nickelodeon Consumer Privacy Litigation (3d Cir. 2016). Plaintiffs alleged that Defendants disclosed “extensive information about plaintiffs’ and consumers’ digital identities, namely, consumers’ video-viewing history, consumers’ computer addresses, and information about other devices connected to the same Wi-Fi network.” The Court held that under In re Nickelodeon, the appropriate standard, plaintiffs failed to allege how an “ordinary recipient” of the data at issue could use it to “identify a particular person” “with little or no extra effort.”
Wiretap Act: The Wiretap Act prohibits “interceptions” of electronic communications, but also provides that it is not unlawful for a person to intercept an electronic communication where such a person is a party to that communication. As such, when plaintiffs alleged that defendants violated the Wiretap Act by intercepting electronic communications (specifically, electronic communications that the defendants’ smart TVs transmitted to plaintiffs, and communications that plaintiffs sent to defendants’ servers), defendants argued that they had not violated the Wiretap Act, among other reasons, because they were parties to the alleged communications. The court agreed with the defendants, finding that plaintiffs’ focus on whether defendants took plaintiffs’ and consumers “identifying information in real-time” could not overcome the fact that any communications to the smart TV manufacturers would not violate the Wiretap Act.

Other Claims

Plaintiffs also alleged four contract-based claims and two fraud-based claims:

Contract-based claims: Plaintiffs’ contract-based claims were for (1) breach of contract, (2) breach of duty of good faith and fair dealing, (3) breach of express warranty, and (4) unjust enrichment. Defendants argued that the first three claims failed because plaintiffs did not identify any actual contract or specific affirmation, promise, or guarantee made to them by the smart TV manufacturers. In addition, defendants argued that plaintiffs failed to identify a loss sustained by the plaintiffs or a benefit received by defendants, and therefore failed to state a claim for unjust enrichment. The court agreed and dismissed all four claims.
Fraud-based claims: Plaintiffs’ two fraud-based claims (unfair and deceptive tracking and transmission, and deceptive omissions) were brought under New Jersey’s Consumer Fraud Act. However, with the plaintiffs being from New York and Florida respectively, the only connection that they alleged between their claims and New Jersey was the defendant smart TV manufacturers’ allegedly “super-massive” presence in New Jersey. However, the Third Circuit has consistently maintained that a non-resident plaintiff cannot bring a Consumer Fraud Act claim where the sole connection to New Jersey is the defendants’ location, and the court therefore dismissed both fraud claims.

Covington represented Samsung in this case (White, et al. v. Samsung Electronics America, Inc., et al.).

FCC Seeks Comment on Ninth Circuit’s Expansive TCPA Interpretation in Marks

By Rafael Reyneri on October 4, 2018 Posted in Advertising & Marketing, Federal Communications Commission

Yesterday, the FCC released a Public Notice seeking comment on a recent decision issued by the U.S. Court of Appeals for the Ninth Circuit in Marks v. Crunch San Diego, LLC, No. 14-56834 (Sept. 20, 2018). The Public Notice, issued in the context of the FCC’s Telephone Consumer Protection Act (TCPA) reform proceeding, seeks comment on how the FCC should interpret the phrase “automatic telephone dialing system” (ATDS) as that term is used in the TCPA. In seeking comment, the FCC noted the tension between Marks and the interpretation of that same statutory provision by the U.S. Court of Appeals for the D.C. Circuit in ACA Int’l v. FCC, 885 F.3d 687 (2018). We previously discussed the ACA Int’l decision here.

In Marks, the Ninth Circuit examined the TCPA’s definition of an ATDS, which is defined in the statute as equipment that has the capacity “to store or produce telephone numbers to be called, using a random or sequential number generator.” The court found that whether the clause “using a random or sequential number generator” applies to both storing and producing telephone numbers to be called is ambiguous, and it concluded that this clause applies only to “producing” telephone numbers to be called. The Ninth Circuit therefore concluded that the definition of an ATDS includes equipment that has the capacity to automatically dial stored numbers—regardless of whether a random or sequential number generator is used.

The Ninth Circuit’s decision in Marks can be viewed as conflicting with the D.C. Circuit’s conclusion in ACA Int’l. In that case, the D.C. Circuit vacated the FCC’s 2015 interpretation of the definition of an ATDS (which was similar to the Ninth Circuit’s) as unreasonably broad.

Comments responding to the FCC’s public notice are due October 17, 2018, with reply comments due October 24, 2018.

IoT and AI Update: California Legislature Passes Bills on Internet of Things, Artificial Intelligence, and Chatbots

By Ani Gevorkian and Jadzia Pierce on October 3, 2018 Posted in Uncategorized

The California legislature recently passed three bills meant to address rapidly-developing technologies including the Internet of Things, artificial intelligence (AI), and chatbots.

Internet of Things. At the end of August, California became the first state to promulgate regulations requiring security features for Internet-connected devices. Senate Bill 327 requires that a manufacturer of a connected device equip the device with “reasonable security features” that are (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit; and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure. Continue Reading

NTIA Requests Comments Regarding Federal Approach to Consumer Privacy

By Rafael Reyneri on October 3, 2018 Posted in Data Privacy

Last week, the National Telecommunications and Information Administration (NTIA) published a request for comments on how it should approach consumer privacy policy. NTIA noted that federal action is needed because a growing number of countries and U.S. states have adopted distinct policy approaches with respect to consumer privacy, which risks a fragmented regulatory regime that will harm innovation.

GDPR: Top 5 Post-Implementation Issues for Airlines

By Joshua Gray on October 3, 2018 Posted in Airlines, Data Breaches, Data Privacy, Data Security, Privacy Policies, Travel

On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The GDPR establishes some of the most robust privacy requirements globally and is likely to be a model followed by other jurisdictions. Airlines are uniquely affected by the GDPR with passenger data being at the heart of their business and international operations. As new technologies allow airlines to pursue new and innovative uses of customer data, it is imperative that airlines continue to conduct their operations with GDPR compliance in mind, particularly given the financial and other reputational issues that can arise for a failure to meet the GDPR’s strict requirements.

Below are 5 key issues for airlines to consider in relation to the GDPR post-implementation. Continue Reading

Senate Examines Potential for Federal Data Privacy Legislation

By Jayne Ponder on October 1, 2018 Posted in Uncategorized

On September 26th, the Senate Committee on Commerce, Science, and Transportation held a hearing on data privacy, focusing in part on the potential for federal privacy regulation. The discussion centered on two issues: (1) the potential for Congress to pass a federal privacy law, including the scope and model for any such law, and (2) the role of the Federal Trade Commission (“FTC”) in regulating data privacy practices. Representatives from Apple, Amazon, AT&T, Charter Communications, Google and Twitter testified.

Chairman John Thune (R-SD) opened the hearing by saying that the Senate is only beginning to address issues of consumer privacy. According to Senator Thune, the hearing “grows out of recent concerns about consumer privacy,” but “is not intended to be a ‘gotcha’ hearing.” Rather, he said, the hearing “represents the beginning of an effort to inform our development of a federal privacy law.”

On the topic of a potential new federal privacy law, technology company representatives appeared to agree on certain broad privacy principles that could be incorporated into legislation. Damien Kieran, Global Data Protection Officer and Associate Legal Director at Google, referenced that company’s data privacy framework, which was released prior to the hearing. A number of industry associations also released federal privacy principles in advance of the hearing, including BSA | The Software Alliance, the Chamber of Commerce, and the Internet Association. Several of those principles call for a federal framework that preempts state laws, with the Chamber supporting preemption of state data privacy laws and the Internet Association supporting preemption of both state consumer privacy and data security laws. In addition, the BSA and Chamber principles urge any framework to support the free flow of data across international borders, with BSA stating any framework should “enable and encourage global data flows.”

At the hearing, senators disagreed about the model for any potential new federal privacy law. Senator Jerry Moran (R-KS) pushed back on suggestions that a new federal law should adopt either the approach embodied by the EU General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”). Rather, he argued that adopting those laws in the United States could harm “innovative and entrepreneurial businesses.” Senator Thune also expressed concern that privacy laws favor incumbents over new entrants in the marketplace. At the same time, Democrats like Senator Brian Schatz (D-HI) emphasized that a privacy law must be “meaningful” and at least as strong as the CCPA if federal law would preempt such state legislation.

Technology companies testifying at the hearing also disagreed on what form any federal privacy law should take, including whether it should include an opt-in or opt-out consent model. Several technology company witnesses voiced concerns with adopting a framework similar to the GDPR, which they viewed as onerous. Len Cali, Senior Vice President for Global Public Policy at AT&T, suggested that the CCPA would be a better model than the GDPR, but said that several provisions of that law, such as the non-discrimination provision and the broad definition of personal information, should be reconsidered before using it as a model for potential federal legislation. All technology company witnesses agreed that any new federal law should preempt state regulation in this area.

In addition, Senator Bill Nelson (D-FL) and Senator Schatz focused on the FTC’s role. Senator Nelson asked if industry believed the FTC was the appropriate body to regulate data privacy and whether the FTC should be vested with more authority. Although all technology company representatives agreed that the FTC was the appropriate regulatory body, none voiced support for increasing the agency’s authority, while Senators Nelson and Schatz indicated that they believe increased FTC authority is appropriate.

Congress and federal agencies are expected to increase their focus on these issues in coming months and Senator Thune said the Senate Commerce Committee would hold further hearings on data privacy. In the House of Representatives, Representative Suzan DelBene (D-WA) has already introduced legislation that would require the FTC to issue new regulations requiring companies that collect, storage, process or share sensitive personal information to enact data privacy and use policies that provide specific types of notice to consumers, enable consumer opt-outs, and obtain third-party audits of their privacy controls, among other requirements.

At the agency level, the Department of Commerce National Telecommunications and Information Administration (“NTIA”) issued a request for comment on September 26, the same day as the Senate Commerce hearing. The NTIA seeks comment on seven proposed outcomes for federal action on consumer privacy policy and on eight high-level goals for federal action to protect privacy. The NTIA also seeks comments on related issues including “next steps and measures the Administration should take to effectuate . . . user-centric privacy outcomes,” such as Executive action, procurement requirements, or non-regulatory actions. NTIA also asks for comment on whether changes are needed to the FTC’s statutory authority, resources, or processes, in order for the FTC to achieve the goals set out in NTIA’s request for comment.

Australia Proposes New Encryption Legislation

By Jadzia Pierce on September 19, 2018 Posted in International

In August 2018, the Government of Australia unveiled a new proposed bill that would grant the county’s national security and law enforcement agencies additional powers when confronting encrypted communications and devices. The text of the draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the “Assistance and Access Bill” or the “Bill”) states that the purpose is “to secure critical assistance from the communications industry and enable law enforcement to effectively investigate serious crimes in the digital era.”

The Assistance and Access Bill, if enacted, could affect a wide range of service providers both in and outside of Australia. Continue Reading

ICO consults on privacy “regulatory sandbox”

By Joshua Gray on September 17, 2018 Posted in Artificial Intelligence (AI), Data Security, Emerging Technologies

Designing data-driven products and services in compliance with privacy requirements can be a challenging process. Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR). These challenges are often particularly acute for companies providing products and services leveraging artificial intelligence technologies, or operating with sensitive personal data, such as digital health products and services.

Recognising some of the above challenges, the Information Commissioner’s Office (ICO) has commenced a consultation on establishing a “regulatory sandbox”. The first stage is a survey to gather market views on how such a regulatory sandbox may work (Survey). Interested organisations have until 12 October to reply.

The key feature of the regulatory sandbox is to allow companies to test ideas, services and business models without risk of enforcement and in a manner that facilitates greater engagement between industry and the ICO as new products and services are being developed.

The regulatory sandbox model has been deployed in other areas, particularly in the financial services sector (see here), including by the Financial Conduct Authority in the UK (see here).

Potential benefits of the regulatory sandbox include reducing regulatory uncertainty, enabling more products to be brought to market, and reducing the time of doing so, while ensuring appropriate protections are in place (see the FCA’s report on its regulatory sandbox here for the impact it has had on the financial services sector, including lessons learned).

The ICO indicated earlier this year that it intends to launch the regulatory sandbox in 2019 and will focus on AI applications (see here).

Further details on the scope of the Survey are summarised below.

UK “No-Deal Brexit” Technical Notice Sets Out Plans on EU – UK Data Flows

By Inside Privacy on September 16, 2018 Posted in European Union, United Kingdom

By Grace Kim and Ezra Steinhardt

On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”). The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome,” but that “it’s our duty as a responsible government to prepare for all eventualities.” One of the notices, “Data protection if there’s no Brexit deal,” sets out the UK government’s position on data flows between the UK and EU and recommends actions that organizations should take to help ensure the continued flow of personal data from the EU to the UK if no agreement is reached.

Data privacy standards in the UK to remain the same

In the event of a no-deal Brexit, the technical notice is clear that the UK will maintain the same data protection standards as exist today. This is because the General Data Protection Regulation (“GDPR”) currently applies in the UK (as it remains, for now, an EU Member State), and, at the point of a no-deal Brexit, the UK would incorporate the GDPR into UK law. The GDPR rules — now and following Brexit — are supplemented by the UK Data Protection Act 2018, which sets out how certain aspects of the GDPR apply in the UK (e.g., in relation to children’s data). Continue Reading

Key Provisions in India’s Draft Personal Data Bill

By Dena Feldman on September 12, 2018 Posted in Cross-Border Transfers, Data Privacy, India, International

Key Provisions in India’s Draft Personal Data Bill

This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or services in India.

High Level Insights

The General Data Protection Regulation (GDPR) as a Model: For the most part, the Committee’s recommendations use GDPR as a model. The draft bill grants individual rights, institutes heightened consent requirements, mandates organizational practices such as DPIAs, and imposes stiff penalties for non-compliance. However, the draft bill coins new terminology, referring to GDPR’s “data subjects” as “data principals” and GDPR’s “data controllers” as “data fiduciaries.”

Data Localization: The Committee includes a data localization provision that requires copies of Indian personal data be stored in India. Likewise, it erects barriers that make it more difficult to transfer personal data out of India.

The Central Role of the Data Protection Authority (DPA): As in GDPR, the draft bill would introduce a DPA with the power to interpret regulations, investigate businesses, and issue fines, injunctions, and even criminal penalties. But unlike GDPR, the Committee’s proposal empowers the DPA to engage in rulemaking. For example, the DPA could identify new categories of sensitive data, specify new lawful bases for processing, and decide whether a particular business needs to hire a DPO, perform a DPIA, or undergo a data audit. As such, the DPA’s leadership and structure may have a substantial impact on the scope of India’s data protection regime.