While the EU General Data Protection Regulation 2016/679 (the “GDPR”) has grabbed headlines due to its extraterritorial reach and administrative fining regime (which permits fines for non-compliance up to the higher of €20 million or 4% of global, annual turnover), a recent decision in the Northern District of California – Finjan v. Zscaler (“Finjan”) – suggests that U.S. Courts won’t view the EU data protection legislation as an absolute obstacle to domestic discovery. Finjan, as the first post-GDPR ruling of its kind, suggests that it will be business as usual navigating between U.S. civil discovery and EU law, at least from the U.S. courts’ perspective. Continue Reading Can the GDPR Tip the Scales in U.S. Discovery – <i>Finjan v. Zscaler</i>
Responding to a request by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU’s data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on the EU data protection framework.
The preliminary assessment by the European Data Protection Supervisor (“EDPS”) and European Data Protection Board (“EDPB”) leaves service providers facing a familiar dilemma.
Although the CLOUD Act now makes clear that U.S. disclosure orders have an extraterritorial reach, the EDPS and EDPB see very limited options for service providers to comply with such orders without breaching the EU’s General Data Protection Regulation (“GDPR”).
Companies will have to carefully consider whether to store data with service providers that may be subject to the Act.
Please click here to read the full alert memorandum.
In February of this year the German antitrust agency, the Federal Cartel Office (“FCO”), issued a decision against Facebook regarding their handling of user data. Please see our previous blog-post detailing the FCO’s arguments here
The DCA can order suspensive effect to an appeal if it has serious doubts whether the prohibition decision is legally valid. Despite the preliminary character of the DCA’s decision, this could represents a significant setback for the FCO and have signaling effect beyond the German borders,. The DCA made certain important points on issues of law, which it will likely not revers during its main proceedings. Continue Reading German Court Divorces GDPR and Competition Law in Facebook Appeal
In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook. Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come. Continue Reading July 2019 Privacy and Cybersecurity Enforcement: Lessons for Management and Directors
On July 29, 2019, the Court of Justice of the European Union (“CJEU”) issued its judgment in Case C-40/17 (Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV). This is a landmark decision regarding the assessment of who has the responsibility for complying with data protection legislation in the context of embedding third-party features that regularly takes place on websites.
The CJEU adopted a broad view of the situations in which a “joint controllership” can arise. It held that, under EU data protection legislation, the operator of a website featuring the Facebook ‘Like’ button (a social plugin that causes the transmission to Facebook of website users’ personal data) can qualify as a controller, jointly with Facebook. Consequently, the website operator is directly responsible for complying with legal obligations in this respect, including by informing its users that their personal data will be transferred to Facebook.
However, the CJEU importantly clarified that the website operator’s role as controller (and the corresponding legal obligations) is limited to the collection and transmission of the data to Facebook and does not include any subsequent personal data processing that Facebook carries out.
The CJEU’s findings will potentially affect third-party technologies other than the Facebook ‘Like’ button, which are often incorporated into websites, such as cookies and pixels.
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities.
The Act makes five principal changes to existing New York law:
- Expanding the law’s jurisdiction to entities that maintain private information of New York residents, regardless of whether or not such entities actually conduct business within the State;
- Broadening the scope of “private information” triggering notification obligations in the event of a breach, including to biometric data;
- Expanding the definition of a “breach” to include unauthorized “access” to private information, in addition to unauthorized “acquisition” of such information;
- Increasing civil penalties for violations of notification obligations; and
- For the first time, affirmatively requiring covered businesses to develop, implement, and maintain “reasonable” data security safeguards, which include, among other things, conducting risk assessments and addressing identified risks.
The first four provisions go into effect on October 23, 2019, while the fifth provision requiring companies to adopt and maintain a cybersecurity compliance program becomes effective on March 21, 2020.
Please click here to read the full alert memorandum.
On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the ICO published its notice of intention to fine British Airways £183.4 million (see our previous blog post here). The proposed fines, if enforced by the ICO, will be the two highest fines levied under the GDPR, to date.
On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize. The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and Twitter that offer “free” services to users while monetizing user data through targeted advertising.
The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018). The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”). Continue Reading UK Data Protection Regulator Issues Notice of Intention to Fine British Airways £183.4 Million for Personal Data Breach
Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact. Continue Reading District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing