The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair.  The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.

Continue Reading Ireland Expands Leadership Structure of Data Protection Commission

On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.

The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.

Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent.  The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same.  But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.

Continue Reading A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill

The California Privacy Protection Agency (“CPPA”) announced it will hold a special meeting on July 28, 2022 at 9 a.m. PST to discuss and potentially act on proposed federal privacy legislation, including the bipartisan American Data Protection and Privacy Act (“ADPPA”) (H.R. 8152).  The ADPPA is a comprehensive data privacy bill that advanced through the House Committee on Energy & Commerce on June 20 and may be headed to the House floor before the end of this Congress.  The ADPPA, as currently drafted, would preempt significant portions of state consumer privacy laws, including the California Consumer Privacy Act (“CCPA”).  It is notable that during the Energy & Commerce Committee’s consideration of the bill, several members of the California delegation expressed specific concerns about the legislation’s broad preemption provisions.  Although the CPPA has yet to formally take a position on the latest version of the ADPPA, CPPA staff memoranda and other related letters suggest that the CPPA will oppose federal privacy legislation that seeks to preempt the state’s comprehensive consumer privacy protections. 

The CPPA has posted the special meeting agenda and virtual attendance link.  Additional meeting materials, including staff memorandum on the issues, can be found here.  The CPPA noted that members of the public will be given the opportunity to comment.

In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022, they issued a joint statement (available here) explaining that the Agreement will come into force on October 3, 2022.

The joint statement emphasizes that the aim of the Agreement is to “allow information and evidence that is held by service providers within each of our nations and relates to the prevention, detection, investigation or prosecution of serious crime to be accessed more quickly than ever before.” The UK Government’s factsheet on the announcement (available here) further clarifies that the process under the Agreement is intended to be faster than processes under existing mutual legal assistance treaties (“MLAT”). This is because, as set out in our prior post, Communication Service Providers subject to UK or U.S. jurisdiction will no longer be prohibited under domestic law from responding to demands from competent authorities in the other country to the extent that demand is made under the Agreement. Under MLAT processes, in contrast, authorities issuing a demand for data in one country must typically wait for law enforcement authorities in the other country to issue a demand under their domestic legislation, and this typically takes a significant amount of time.

The substance of the Agreement remains unchanged by the joint announcement, but the practical upshot is that from October 3, Communication Service Providers in the UK and the United States will need to be prepared to recognize demands issued under the Agreement. These providers should also note that the Agreement does not oblige law enforcement authorities to issue data demands under it. In other words, authorities can continue to issue demands outside the scope of the Agreement.

It is unclear what, if any, impact the entry into force of the Agreement will have on the UK’s status as an “adequate” jurisdiction under the EU’s General Data Protection Regulation (“GDPR”). The current adequacy decision takes the position that the Agreement as written would not undermine the level of protection provided by UK law, but the Commission also asserts that it will take account of any developments resulting from the application of the Agreement in practice as part of ongoing monitoring of the adequacy decision. Accordingly, any potential impact of the Agreement on UK adequacy is likely to emerge only after October 3.

On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law.  In addition, the CEO and the President of the company were each personally fined RMB 1 million (around $150,000 USD).

The public notice of the penalty decision does not provide much detail, but a CAC spokesperson indicated in a press conference that the administration found a total of 16 violations.  This included the illegal collection of large volumes of data on passengers, such as screenshots from albums on mobile devices, user clipboard information and application list information, facial recognition data, and age-related data.  According to the CAC, the company also failed to accurately specify the processing purposes for 19 different types of personal information, including user device information.  

According to the CAC spokesperson, these violations began in May 2015 and continue to this day, which, on a continuous basis, violate the Cybersecurity Law effective since June 2017, the Data Security Law effective since September 2021, and the Personal Information Protection Law effective since November 2021, respectively.

Looking ahead, the CAC spokesperson indicated that the CAC will continue to strengthen enforcement in the areas of cybersecurity, data security and personal information protection.

Late last week, the Seventh Circuit affirmed a trial court’s ruling granting dismissal at summary judgment of claims against FCA US LLC (“FCA,” formerly known as Chrysler) and Harman International Industries, Inc. (“Harman”) for lack of Article III standing.  See Flynn v. FCA US LLC, — F. 4th —-, 2022 WL 2751660 (7th Cir. July 14, 2022).  Plaintiffs’ class-action complaint claimed injuries arising out of an alleged cybersecurity vulnerability in an infotainment system designed by Harman for installation in FCA vehicles manufactured between 2013 and 2015.  See id. at *1.  However, after discovery, the Plaintiffs offered the trial court no evidence establishing that the vulnerability actually caused them any harm. 

Having failed to cite “any factual support for their claimed injury” in the trial court, id. at *3, the Plaintiffs shifted gears and sought to rely on appeal on portions of their expert reports regarding an “overpayment” theory that they had not relied on in the trial court, id. at *4.  Under that argument, Plaintiffs claimed that “they paid more for their vehicles than they would have if they had known about the cybersecurity vulnerability.”  Id. at *1.  The Seventh Circuit rejected Plaintiffs’ bid to rely on their expert reports as arising “far too late,” id. at *4, and affirmed the trial court’s ruling with a procedural modification to reflect a dismissal for lack of subject-matter jurisdiction without leave to amend, id. at *5.

FCA benefitted from prompt attention to the alleged vulnerability.  As the Seventh Circuit noted, FCA “immediately issued a recall and provided a free software update to patch the vulnerability” after Wired magazine documented the issue in 2015.  Id. at *1.  “Federal regulators supervising the recall determined that the patch eliminated the vulnerability[, and] [o]ther than the Jeep in the Wired test, no other Chrysler vehicle has been successfully hacked.”  Id. As internet-connected products continue to proliferate, manufacturers can expect an increasing number of product-defect lawsuits predicated upon alleged cyber vulnerabilities.  However, as the Flynn decision demonstrates, the injury-in-fact element of Article III standing provides an effective defense where plaintiffs lack evidence the alleged vulnerabilities have produced any real-world harms.

After several twist and turns, on July 7th Intel Corp. succeeded in achieving final dismissal of class claims alleging that Intel knew about purported security vulnerabilities in its microprocessors and failed to disclose or mitigate those vulnerabilities.  The case, In Re Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation, 3:18-md-02828, had a long history—a narrowed set of class claims had survived three prior rounds of motions to dismiss.  Had the claims been allowed to go forward a fourth time, businesses may have faced additional liability concerns for attempting to address cyber vulnerabilities in their products before those exploits became public and susceptible to exploitation by hackers.

According to Plaintiffs, independent security researchers uncovered potential security vulnerabilities in microprocessors made by Intel that made the microprocessors susceptible to certain exploits, which have become generally known as “Meltdown” and “Spectre.”  Intel learned about the security vulnerabilities in mid-2017, but kept information about the security vulnerabilities under embargo until early 2018.  Keeping information about security vulnerabilities under embargo for a limited period of time is a traditional and lawful practice that allows a company to implement security fixes before hackers learn of the potential exploits.  The dispute in this case centered on the length of the embargo and the allegation that Intel continued to sell its product during that timeframe.

The Court had initially held that Plaintiffs sufficiently stated a claim for unfair conduct under the California UCL, among a handful of other claims, predicated on allegations that Intel delayed lifting the embargo until after the 2017 holiday season so it could continue to sell devices powered by the allegedly vulnerable microprocessors.  However, on reconsideration, the Court determined that Plaintiffs had disavowed that theory, and instead “Plaintiffs [were] simply alleging that Intel sold product during a normal and reasonable embargo with ‘asymmetrical information.’”  The Court held that this allegation was insufficient to support an unfair conduct claim and dismissed all remaining claims with prejudice.

The Court noted that its rulings were not intended “to declare or establish any specific default embargo period, let alone one that would apply under all circumstances.”  This may come as a relief to tech companies who have to employ embargoes to resolve current or future security vulnerabilities, where establishment of a default embargo period could overly restrict the timeframe necessary to resolve the issues.

Last week, an Illinois federal district court granted the defendant’s motion to stay in Stegmann v. PetSmart, No. 1:22-cv-01179 (N.D. Ill.).  The case implicates the evolving law surrounding the scope of the Illinois Biometric Information Privacy Act (“BIPA”) and  a pending Illinois Supreme Court case that could provide an important defense to certain BIPA suits.

Continue Reading Federal Court Stays Suit Implicating Accrual of Claims Under the Illinois Biometric Information Privacy Act

On July 5, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the National Institute of Standards and Technology (“NIST”) strongly recommended that organizations begin preparing to transition to a post-quantum cryptographic standard.  “The term ‘post-quantum cryptography’ is often referred to as ‘quantum-resistant cryptography’ and includes, ‘cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by” a CRQC (cryptanalytically relevant quantum computer) or a classical computer.  NIST “has announced that a new post-quantum cryptographic standard will replace current public-key cryptography, which is vulnerable to quantum-based attacks.”  NIST does not intend to publish the new post-quantum cryptographic standard for commercial products until 2024 but urges companies to begin preparing now by following the Post-Quantum Cryptography Roadmap

Continue Reading CISA and NIST Urge Companies to Prepare to Transition to a Post-Quantum Cryptographic Standard

Recent months have seen a growing trend of data privacy class actions asserting claims for alleged violations of federal and state video privacy laws.  In this year alone, plaintiffs have filed dozens of new class actions in courts across the country asserting claims under the federal Video Privacy Protection Act (“VPPA”), Michigan’s Preservation of Personal Privacy Act (“MPPPA”), and New York’s Video Consumer Privacy Act (“NYVCPA”).

Continue Reading Emerging Trends: Renewed Wave of Video Privacy Class Actions