Privacy

Subscribe to Privacy via RSS

Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]
Continue Reading District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing

In the past year, members of the U.S. Congress and Senate on both sides of the aisle have proposed data privacy bills that would impose nationwide standards on companies who collect and/or share consumers’ personal information. Currently, all 50 states have separate, but often overlapping, data privacy regimes—each subjecting companies to various combinations of recordkeeping standards, data sharing restrictions, and data breach reporting requirements—creating a patchwork of state laws that can generate substantial uncertainty for corporations.
Continue Reading Legislators Propose Differing Approaches to Federalizing Corporate Responsibility for Data Breaches

On 31 May 2019, the Supreme Court of Ireland dismissed Facebook’s appeal of the Irish High Court decision to refer questions regarding, among other things, the adequacy of the EU-U.S. Privacy Shield and the European Commission’s Standard Contractual Clauses to the Court of Justice of the EU (the “CJEU”). The CJEU will hear the case (C-311/18) on 9 July 2019.
Continue Reading Data Transfer Mechanisms to be Reviewed by CJEU After Irish Supreme Court Dismisses Facebook Appeal

On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”
Continue Reading FTC Commissioners Continue Calls for National Data Privacy and Security Legislation

On April 16, 2019, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert addressing all registered broker-dealers and investment advisers’ (together, “Firms”)[1] privacy-related obligations under Regulation S-P (“Reg S-P”).  The Risk Alert set out the most frequent Reg S-P deficiencies OCIE identified during examinations over the past two years, and encouraged registrants to review their written privacy policies and procedures as well as the consistency with which these policies and procedures have been implemented.  The Alert is the latest in a series of recent privacy and cybersecurity guidance documents issued by the SEC, including the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures and October 2018 Report of Investigation on cyber-related frauds and public company accounting controls.

This Risk Alert is consistent with the SEC’s approach of seeking to influence the conduct of registrants by providing guidance on specific compliance issues, followed by Risk Alerts noting common exam deficiencies, prior to pursuing enforcement actions.  Investment advisers and broker-dealers should  take this as a prompt to review their relevant policies and procedures to ensure they are appropriate and being followed in practice.
Continue Reading SEC Privacy Risk Alert may Foreshadow Upcoming Reg S-P Enforcement Against Broker-Dealers, Investment Advisers

On April 9, 2019, an appellate court in Illinois held in Liu v. Four Seasons Hotel, Ltd.[1] that an employee’s allegations of violations of the state’s Biometric Information Privacy Act (“BIPA” or the “Act”) do not constitute allegations of “a wage or hour violation,” even where collection of biometric data is being used to monitor hours worked.  Coming on the heels of the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corporation,[2] which held that plaintiffs are not required to allege harm beyond a “technical” violation of the Act in order to bring an action under BIPA, Liu demonstrates a developing pattern of recognition of broad privacy rights in Illinois courts.
Continue Reading Illinois Appellate Court Holds Employee Biometric Privacy Claims Are Independent Of Wage and Hour Disputes

On April 10, 2019, the Department of Justice (“DOJ”) released a white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act.  This white paper is the first official DOJ statement about the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) and reflects the DOJ’s current perspective on its scope and implications.  Below we summarize the CLOUD Act and discuss the DOJ’s key observations.
Continue Reading DOJ Releases White Paper Addressing Scope & Implications of CLOUD Act

On March 20, 2019, in Frank v. Gaos, the Supreme Court remanded a case challenging Google’s practice of disclosing users’ search terms to third parties, directing the lower courts to address whether class plaintiffs had Article III standing to bring the privacy action in light of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).[1]  Frank v. Gaos was originally notable because it had been resolved by a cy pres-only class action settlement, which had been appealed by objecting class members as inconsistent with Federal Rule of Civil Procedure 23.  As part of the remand, the Court vacated the settlement without opining on its validity.
Continue Reading Supreme Court Vacates Approval of Class Action Settlement and Remands to Determine Article III Standing in Data Privacy Case

On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement. 
Continue Reading Federal Trade Commission Issues 2018 Privacy and Data Security Update

On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now.
Continue Reading EDPB Issues First Opinion on Administrative Arrangements Under the GDPR for Cross-Border Data Flows Between EU and Non-EU Securities Agencies