Litigation

Last week, an Ohio district court found that violations of the Telephone Consumer Protection Act (“TCPA”) occurring between 2015 and July 2020 cannot be enforced because the law was unconstitutional at the time.  The case is captioned Lindenbaum v. Realgy, LLC, No. 19-CV-02862 (N.D. Ohio), and the opinion builds on an earlier decision from a Louisiana district court that reached a similar conclusion in Creasy v. Charter Communications Inc., No. 20-CV-01199 (E.D. La.).
Continue Reading Courts Find TCPA Unenforceable for Acts Prior to July 2020

The English High Court has recently awarded damages in a data privacy case, with two features of particular interest.  First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation.  Secondly, the damages awarded (perhaps influenced by the nature of the case) were unusually high for a data privacy case.

The decision highlights an unusual use of data protection in English law, as a freestanding form of quasi-defamation claim, as the claimants sought damages for reputational harm (as well as distress) solely under the Data Protection Act 1998 (the “DPA”, since replaced by the Data Protection Act 2018, which implemented the General Data Protection Regulation ((EU) 2016/679) (GDPR) in the UK) rather than in a libel or defamation claim, or in parallel with such a claim.  It also sets a potentially unhelpful precedent by awarding two of the claimants £18,000 each for inaccurate processing of their personal data, an amount that is significantly higher than has been awarded in other data protection cases brought under the DPA.  If such awards were to be made in the context of a class action, the potential liability for data controllers could be significant.
Continue Reading English High Court Awards Damages for Quasi-Defamation Data Claim

Introduction

In late 2018, the Upper Tribunal of the Administrative Appeals Tribunal released two significant decisions as to the Freedom of Information Act 2000, section 35, which provides the government a limited basis to withhold communications from disclosure. These are Department for Education v Information Commissioner & Whitmey [2018] UKUT 348 and Cabinet Office v Information Commissioner & Webber [2018] UKUT 410. The cases relate to the 2010 – 2015 Conservative – Liberal Democrat Coalition Government (the “Coalition Government”), headed by Prime Minister David Cameron (Conservative) and Deputy Prime Minister Nick Clegg (Liberal Democrat).

FOIA, section 35

Section 35 provides a qualified exemption to disclosure as to information relating to: (1) ministerial communications and (2) the formulation or development of government policy (inter alia). Withholding information from disclosure is justified if the public interest in withholding the information outweighs the public interest in disclosing the information (section 35(2(2)(b)). Broadly, the purpose of section 35 is to promote free and frank communications between the government and its advisors.  
Continue Reading Freedom of Information Act 2000 (UK) case update: Upper Tribunal rules in favour of disclosure of ministerial communications

On September 26, 2018, New Jersey federal district judge Madeline Cox Arleo dismissed an eight-count class action complaint in its entirety against three smart TV makers: Samsung, LG, and Sony.  The plaintiffs alleged that defendants’ smart TVs continuously monitored and tracked their viewing habits, recorded their voices, and then transmitted that information to defendants’ servers,

Yesterday, the Federal Communications Commission (“FCC”) released a Public Notice seeking comment on a range of issues relevant to its interpretation of the Telephone Consumer Protection Act (“TCPA”), including how the FCC should interpret what constitutes an “automatic telephone dialing system” in the wake of a recent decision by the U.S. Court of Appeals for the District of Columbia Circuit to vacate the agency’s prior interpretation of that term.

This same issue was the focus of a petition for declaratory ruling filed earlier this month by the U.S. Chamber Institute for Legal Reform and a number of other industry organizations.

The Public Notice seeks comment on a range of other TCPA issues, some of which also were addressed by the D.C. Circuit’s recent decision.  These include how calls to reassigned mobile telephone numbers should be treated under the TCPA and the ways in which a party may revoke his or her prior express consent to receive automated or prerecorded calls under the statute. 
Continue Reading FCC Seeking Comment on Key TCPA Reform Issues in Wake of DC Circuit Ruling

The Virginia Supreme Court held that license plate images taken by law enforcement agencies constitute “personal information,” reviving a challenge to the police storage of license plate data.

Automatic license plate readers (“ALPRs”) are used by police departments across the country to take thousands of photos of license plates per hour.  Officers check these numbers against lists of stolen or wanted vehicles.  Because ALPRs also record the date, time and location of the license plate image, groups such as the American Civil Liberties Union have argued that this collection is an invasion of privacy that allows police to track a person’s movements.

The Virginia Supreme Court’s ruling marks a significant development in a case challenging the mass collection of license plate images and location data by ALPRs.  In 2015, the ACLU sued the Fairfax County Police Department (“FCPD”) on behalf of Harrison Neal, a motorist whose license plate had been captured twice and stored pursuant to a FCPD policy for one year.  Neal alleged that FCPD’s collection and storage of ALPR data violates Virginia’s Data Act, a statute designed to prevent the unnecessary collection and storage of personal information by government agencies.  However, the circuit court rejected Neal’s claim.  The court ruled that a license plate number is not “personal information” under the Data Act because the number refers to a vehicle rather than an individual.
Continue Reading Virginia Supreme Court Holds that Police License Plate Readers Collect Personal Information

On January 25, 2018, the Court of Justice of the European Union (“CJEU”) handed down a ruling permitting consumer privacy actions to be brought in the consumer’s home jurisdiction — as opposed to the jurisdiction in which the defendant data controller has its main establishment — but not permitting consumer privacy class actions to be brought in a consumer’s home jurisdiction.

Background

Maximilian Schrems (“Schrems”) — an Austrian resident, lawyer and privacy activist (best known for his involvement in litigation relating to the EU-U.S. Safe Harbor and the EU Model Clauses) — brought a class action against Facebook’s Irish-registered office, before the Austrian courts.  Schrems’ action alleges various breaches of Austrian, Irish, and EU data privacy rules, and includes claims for damages arising from these alleged breaches.

Schrems, a Facebook user of ten years, initially registered with Facebook under a false name for personal purposes only, engaging in typical private uses of the site such as to share photos and posts with his 250 or so Facebook Friends.  Then, in 2011, Schrems created a Facebook page to report on his legal proceedings against Facebook Ireland, reference his lectures and media appearances, advertise his books and solicit public donations.

The Austrian Supreme Court sought a preliminary ruling from the CJEU on two points.

  • Whether Schrems is a “consumer” as defined and interpreted under EU law (namely Article 15 of Regulation No. 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters), in relation to his Facebook account, specifically the use of his Facebook page (“the Consumer Issue”).
  • Whether Schrems could bring his action alongside and on behalf other consumers in contractual relationships with Facebook, those consumers numbering more than 25,000 and residing in Austria, other Member States, and outside the EU (“the Class Action Issue”).


Continue Reading CJEU Rejects Consumer Privacy Class Action

On Monday, the U.S. District Court for the District of Kansas ruled that the named plaintiff for a putative class of CareCentrix employees whose personal information was compromised had alleged enough harm for standing under Spokeo, Inc. v. Robins.  The case is Hapka v. CareCentrix, Inc.

In early 2016, a phishing attack compromised

In an order released last week, the Eleventh Circuit temporarily delayed enforcement of the Federal Trade Commission’s (FTC) order in the LabMD case.  As we reported earlier, the FTC ruled in July that LabMD’s data security practices violated the FTC Act, clarifying and expanding upon the FTC’s authority to regulate corporate data security practices.  After the FTC denied LabMD’s request for a stay, the company appealed to the Eleventh Circuit, which granted the stay in a unanimous decision.
Continue Reading Appellate Court Stays Enforcement of FTC’s LabMD Order

On Monday, a panel of the Ninth Circuit unanimously ruled that Section 230 of the Communications Decency Act (“CDA”) protected Yelp from liability relating to an allegedly defamatory user-generated review.  In doing so, the Court rejected several attempts by the Plaintiff to plead around the CDA’s broad immunity provisions by accusing Yelp of playing a