On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing personal data.

The case arose from a question concerning the application of Lithuanian law requiring people in receipt of public funds to file declarations of interest. Those declarations, including information about the interests of the individual’s “spouse, cohabitee or partner”, were published online. Here, the applicant had failed to file a declaration and was sanctioned. In the first place, the CJEU found that the underlying law did not strike a proper balance between the public interest in preventing corruption and the rights of affected individuals.

On its own, this would not necessarily be controversial. However, the CJEU went on to note that because it is possible to deduce information about an individual’s sex life or sexual orientation from the name of their partner, publishing that information online involves processing special category data subject to Article 9 GDPR.

Specifically, the CJEU found that the processing of any personal data that are “liable indirectly to reveal sensitive information concerning a natural person”, i.e. any information that may reveal a person’s racial or ethnic origin, religious or philosophical beliefs, political views, trade union membership, health status or sexual orientation, is subject to the prohibition from processing under Article 9(1) GDPR, unless an exception under Article 9(2) applies.

The practical implications of this judgment could be significant. It is conceivable that common processing operations, such as publishing a photo on a corporate social media page, could reveal some information that is protected under Article 9. Controllers may now need to review their processing operations through a contextual lens to assess whether the data being processed and the manner of processing is liableto reveal any sensitive information.

Unhelpfully, the judgment is not clear how far controllers will need to go to make this assessment. For example, it may be arguable that if a controller does not make personal data public, and it implements policies that prohibit employees from making inferences, then information is not liable to reveal special category data, but this is not certain. An alternative interpretation might result in a much greater amount of data subject to Article 9. Regulatory guidance on how controllers can comply would now be welcome, and to resolve the tension with, for example, the EDPB’s existing guidelines on processing data through video devices, which state that video footage will only be special category data if it is actually used to deduce special category data.  

***

The Covington team will keep monitoring the developments on this issue, including any regulatory guidance released in response to the judgment, and is happy to assist with any inquiries on the topic.

On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a recent webinar hosted by our team. Should you want to receive a copy of the slide deck referenced in the episode, please reach out to one of our speakers, Dan Cooper or Yan Luo.


Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair.  The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.

Continue Reading Ireland Expands Leadership Structure of Data Protection Commission

On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.

The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.

Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent.  The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same.  But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.

Continue Reading A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill

The California Privacy Protection Agency (“CPPA”) announced it will hold a special meeting on July 28, 2022 at 9 a.m. PST to discuss and potentially act on proposed federal privacy legislation, including the bipartisan American Data Protection and Privacy Act (“ADPPA”) (H.R. 8152).  The ADPPA is a comprehensive data privacy bill that advanced through the House Committee on Energy & Commerce on June 20 and may be headed to the House floor before the end of this Congress.  The ADPPA, as currently drafted, would preempt significant portions of state consumer privacy laws, including the California Consumer Privacy Act (“CCPA”).  It is notable that during the Energy & Commerce Committee’s consideration of the bill, several members of the California delegation expressed specific concerns about the legislation’s broad preemption provisions.  Although the CPPA has yet to formally take a position on the latest version of the ADPPA, CPPA staff memoranda and other related letters suggest that the CPPA will oppose federal privacy legislation that seeks to preempt the state’s comprehensive consumer privacy protections. 

The CPPA has posted the special meeting agenda and virtual attendance link.  Additional meeting materials, including staff memorandum on the issues, can be found here.  The CPPA noted that members of the public will be given the opportunity to comment.

In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022, they issued a joint statement (available here) explaining that the Agreement will come into force on October 3, 2022.

The joint statement emphasizes that the aim of the Agreement is to “allow information and evidence that is held by service providers within each of our nations and relates to the prevention, detection, investigation or prosecution of serious crime to be accessed more quickly than ever before.” The UK Government’s factsheet on the announcement (available here) further clarifies that the process under the Agreement is intended to be faster than processes under existing mutual legal assistance treaties (“MLAT”). This is because, as set out in our prior post, Communication Service Providers subject to UK or U.S. jurisdiction will no longer be prohibited under domestic law from responding to demands from competent authorities in the other country to the extent that demand is made under the Agreement. Under MLAT processes, in contrast, authorities issuing a demand for data in one country must typically wait for law enforcement authorities in the other country to issue a demand under their domestic legislation, and this typically takes a significant amount of time.

The substance of the Agreement remains unchanged by the joint announcement, but the practical upshot is that from October 3, Communication Service Providers in the UK and the United States will need to be prepared to recognize demands issued under the Agreement. These providers should also note that the Agreement does not oblige law enforcement authorities to issue data demands under it. In other words, authorities can continue to issue demands outside the scope of the Agreement.

It is unclear what, if any, impact the entry into force of the Agreement will have on the UK’s status as an “adequate” jurisdiction under the EU’s General Data Protection Regulation (“GDPR”). The current adequacy decision takes the position that the Agreement as written would not undermine the level of protection provided by UK law, but the Commission also asserts that it will take account of any developments resulting from the application of the Agreement in practice as part of ongoing monitoring of the adequacy decision. Accordingly, any potential impact of the Agreement on UK adequacy is likely to emerge only after October 3.

On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law.  In addition, the CEO and the President of the company were each personally fined RMB 1 million (around $150,000 USD).

The public notice of the penalty decision does not provide much detail, but a CAC spokesperson indicated in a press conference that the administration found a total of 16 violations.  This included the illegal collection of large volumes of data on passengers, such as screenshots from albums on mobile devices, user clipboard information and application list information, facial recognition data, and age-related data.  According to the CAC, the company also failed to accurately specify the processing purposes for 19 different types of personal information, including user device information.  

According to the CAC spokesperson, these violations began in May 2015 and continue to this day, which, on a continuous basis, violate the Cybersecurity Law effective since June 2017, the Data Security Law effective since September 2021, and the Personal Information Protection Law effective since November 2021, respectively.

Looking ahead, the CAC spokesperson indicated that the CAC will continue to strengthen enforcement in the areas of cybersecurity, data security and personal information protection.

Late last week, the Seventh Circuit affirmed a trial court’s ruling granting dismissal at summary judgment of claims against FCA US LLC (“FCA,” formerly known as Chrysler) and Harman International Industries, Inc. (“Harman”) for lack of Article III standing.  See Flynn v. FCA US LLC, — F. 4th —-, 2022 WL 2751660 (7th Cir. July 14, 2022).  Plaintiffs’ class-action complaint claimed injuries arising out of an alleged cybersecurity vulnerability in an infotainment system designed by Harman for installation in FCA vehicles manufactured between 2013 and 2015.  See id. at *1.  However, after discovery, the Plaintiffs offered the trial court no evidence establishing that the vulnerability actually caused them any harm. 

Having failed to cite “any factual support for their claimed injury” in the trial court, id. at *3, the Plaintiffs shifted gears and sought to rely on appeal on portions of their expert reports regarding an “overpayment” theory that they had not relied on in the trial court, id. at *4.  Under that argument, Plaintiffs claimed that “they paid more for their vehicles than they would have if they had known about the cybersecurity vulnerability.”  Id. at *1.  The Seventh Circuit rejected Plaintiffs’ bid to rely on their expert reports as arising “far too late,” id. at *4, and affirmed the trial court’s ruling with a procedural modification to reflect a dismissal for lack of subject-matter jurisdiction without leave to amend, id. at *5.

FCA benefitted from prompt attention to the alleged vulnerability.  As the Seventh Circuit noted, FCA “immediately issued a recall and provided a free software update to patch the vulnerability” after Wired magazine documented the issue in 2015.  Id. at *1.  “Federal regulators supervising the recall determined that the patch eliminated the vulnerability[, and] [o]ther than the Jeep in the Wired test, no other Chrysler vehicle has been successfully hacked.”  Id. As internet-connected products continue to proliferate, manufacturers can expect an increasing number of product-defect lawsuits predicated upon alleged cyber vulnerabilities.  However, as the Flynn decision demonstrates, the injury-in-fact element of Article III standing provides an effective defense where plaintiffs lack evidence the alleged vulnerabilities have produced any real-world harms.

After several twist and turns, on July 7th Intel Corp. succeeded in achieving final dismissal of class claims alleging that Intel knew about purported security vulnerabilities in its microprocessors and failed to disclose or mitigate those vulnerabilities.  The case, In Re Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation, 3:18-md-02828, had a long history—a narrowed set of class claims had survived three prior rounds of motions to dismiss.  Had the claims been allowed to go forward a fourth time, businesses may have faced additional liability concerns for attempting to address cyber vulnerabilities in their products before those exploits became public and susceptible to exploitation by hackers.

According to Plaintiffs, independent security researchers uncovered potential security vulnerabilities in microprocessors made by Intel that made the microprocessors susceptible to certain exploits, which have become generally known as “Meltdown” and “Spectre.”  Intel learned about the security vulnerabilities in mid-2017, but kept information about the security vulnerabilities under embargo until early 2018.  Keeping information about security vulnerabilities under embargo for a limited period of time is a traditional and lawful practice that allows a company to implement security fixes before hackers learn of the potential exploits.  The dispute in this case centered on the length of the embargo and the allegation that Intel continued to sell its product during that timeframe.

The Court had initially held that Plaintiffs sufficiently stated a claim for unfair conduct under the California UCL, among a handful of other claims, predicated on allegations that Intel delayed lifting the embargo until after the 2017 holiday season so it could continue to sell devices powered by the allegedly vulnerable microprocessors.  However, on reconsideration, the Court determined that Plaintiffs had disavowed that theory, and instead “Plaintiffs [were] simply alleging that Intel sold product during a normal and reasonable embargo with ‘asymmetrical information.’”  The Court held that this allegation was insufficient to support an unfair conduct claim and dismissed all remaining claims with prejudice.

The Court noted that its rulings were not intended “to declare or establish any specific default embargo period, let alone one that would apply under all circumstances.”  This may come as a relief to tech companies who have to employ embargoes to resolve current or future security vulnerabilities, where establishment of a default embargo period could overly restrict the timeframe necessary to resolve the issues.

Last week, an Illinois federal district court granted the defendant’s motion to stay in Stegmann v. PetSmart, No. 1:22-cv-01179 (N.D. Ill.).  The case implicates the evolving law surrounding the scope of the Illinois Biometric Information Privacy Act (“BIPA”) and  a pending Illinois Supreme Court case that could provide an important defense to certain BIPA suits.

Continue Reading Federal Court Stays Suit Implicating Accrual of Claims Under the Illinois Biometric Information Privacy Act