Highest Administrative Court in France Upholds Google’s €50 Million Fine

On January 21, 2019, the CNIL (the French data protection authority) issued a fine of €50 million to Google under the General Data Protection Regulation (the “GDPR”) for its failure to (1) provide notice in an easily accessible form, using clear language, when users configured their Android mobile device, and (2) obtain users’ consent to process personal data for ad personalization purposes. The CNIL’s enforcement action and resulting fine arose out of actions filed by two not-for-profit associations, None of Your Business and La Quadrature du Net. The fine was the first significant fine imposed by the CNIL under the GDPR and remains one of the highest fines to date. In determining the amount of the fine, the CNIL considered the fact that the violations related to essential principles under the GDPR (transparency and consent), the violations were continuing, the importance of the Android operating system in France, and the fact that the privacy notice presented to users covered a number of processing operations. Google appealed the decision. READ MORE

French Court Annuls Parts of the CNIL’s Cookie Guidelines

On June 19, 2020, the Conseil d’Etat, the highest administrative court in France, annulled in part the cookie guidelines issued by the CNIL (the French data protection authority). The court ruled that the CNIL did not have the power to prohibit “cookie walls” (i.e., the practice of blocking access to a site or app for users who do not consent to the use of cookies) in the guidelines. READ MORE

Parkview Health Decision Highlights Vicarious Data Breach Liability Risk in the United States

A recent decision in Indiana highlights the data security liability risks facing employers based on the actions of their employees, extending vicarious liability even to cases where the employees were acting wholly for personal purposes. In SoderVick v. Parkview Health Sys., Inc., the Court of Appeals of Indiana reversed summary judgment in favor of the defendant, reviving claims of respondeat superior against Parkview Health Systems, Inc. (“Parkview”) where the hospital’s employee texted personal health information to a third party. No. 19A-CT-2671, 2020 WL 2503923 (Ind. Ct. App. May 15, 2020). We recently noted a decision of the Supreme Court of the United Kingdom in WM Morrison Supermarks plc v. Various Claimants (“Morrison”) where the Court made the contrary determination, ruling that the large supermarket chain Morrison could not be held vicariously liable as a matter of law for the intentional acts of a rogue employee who posted the payroll data of Morrison employees on the Internet. But as we also explained, businesses that collect personal information should be cautious about reading too much into that ruling: while the Court allowed the appeal in favor of Morrison, the decision turned on the particular facts of the case (where the rogue employee actively tried to damage his employer). The Parkview Health decision further underscores this need for caution, especially with increased remote work due to COVID-19 where the risk of employers being sued over security breaches caused by their employees is, unfortunately, ever-increasing. READ MORE

Legislative Update: Privacy Bills Not Immune to COVID-19 As Legislative Efforts Persist and Evolve

Today, we are all facing a public health crisis unlike any other we have seen in our lifetime. In addition to serious consequences to global health, the COVID-19 pandemic has created significant disruption in the legal system and privacy law initiatives have not been immune to the virus’s impact. With many state legislatures nearing or at the end of legislative sessions taken over by pandemic priorities, state privacy bill initiatives across the country are grinding to a halt. However, some lawmakers are pushing forward with targeted proposals to protect individual privacy in the face of COVID-19 and some states, particularly California, continue public and private efforts to bolster privacy in their jurisdiction. Below is a summary of the 2020 privacy legislative efforts to date and the impact COVID-19 has had on their progress. READ MORE

Wait…CCPA 2.0? What Is the California Privacy Rights Act of 2020 and Will It Become Law?

On May 4, 2020, Californians for Consumer Privacy announced that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020 (“CPRA”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018 (“CCPA”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.

READ MORE

Two Diverging Federal COVID-19 Privacy Bills Proposed

In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle. Here is a high-level summary of the key points addressed in each bill: READ MORE

Seventh Circuit Bolsters Article III Standing for Actions Under the Illinois Biometric Information Privacy Act

On May 5, 2020, the Seventh Circuit held in Bryant v. Compass Group USA, Inc. that a plaintiff who asserted a violation of the Illinois Biometric Information Privacy Act’s (“BIPA’s”) notice and consent requirements had Article III standing to pursue her claim in federal court. With respect to BIPA’s retention schedule posting requirement, however, the Seventh Circuit found that allegations of a statutory violation did not, on their own, suffice to confer Article III standing. This decision will make it easier for defendants to keep BIPA claims in federal court, and its standing analysis has significant implications for BIPA cases, as well as other privacy and data security cases more broadly.

READ MORE

EDPB Tears Down Cookie Walls – Implementation of Cookies in Europe Becomes Even More Challenging

On May 4, the European Data Protection Board (“EDPB”)—an independent body which ensures that the General Data Protection Regulation (“GDPR”) is consistently applied within the EU—has updated its guidelines on consent under the GDPR, clarifying its requirements regarding the GDPR compliant use of cookies on a website. READ MORE

Prison Time for Personal Use of Company Computers? Supreme Court Grants Cert to Decide Whether Noncompliance With a Company’s Terms of Use Constitutes a Violation of the Computer Fraud and Abuse Act

On Monday, April 20th, the Supreme Court accepted cert in Van Burien v. United States to (hopefully) resolve a longstanding circuit split regarding the Computer Fraud and Abuse Act (or CFAA):  Does an individual exceed authorized access when he or she accesses a computer contrary to a policy or agreement limiting access (i.e., accessing a computer for a purpose beyond those permitted by the company). READ MORE

The French Data Protection Authority Publishes a Q&A to Recall the Main Characteristics of the Right to De-listing

On April 7, 2020, the French Data Protection Authority (the CNIL) published on its website a Q&A on the right to de-listing. The right to de-listing enables a data subject to request from a search engine to remove one or several results provided when a search request is carried out using the data subject’s name and surname.

The timing of this publication is interesting as it took place a few days after the decision of the French Highest Administrative Court (the Conseil d’Etat) on the so-called Google case.

READ MORE