Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country’s Federal Act on Data Protection (FADP). READ MORE
Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days. Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux. In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president. The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021. READ MORE
Earlier this month, the U.S. Supreme Court agreed to hear a pair of cases that provide it with the opportunity to severely restrict the Federal Trade Commission’s (“FTC’s”) authority to obtain equitable money relief in consumer protection enforcement actions, including privacy and cybersecurity matters. Under Section 13(b) of the FTC Act, in certain circumstances the FTC is empowered to bring actions in federal court to seek temporary restraining orders and injunctions for violations of the Act. In two consolidated cases, FTC v. Credit Bureau Center, LLC and AMG Capital Management, LLC v. FTC, the Supreme Court will now consider whether, as the FTC claims, this provision also authorizes the agency to seek equitable money relief for such violations, even though the provision makes no mention of money relief. The decision will have broad implications because the FTC has relied on Section 13(b) to seek monetary relief in consumer protection enforcement actions, including privacy and cybersecurity matters. A ruling against the FTC could substantially alter the FTC’s approach to privacy and cybersecurity enforcement.
The FTC’s privacy and cybersecurity enforcement actions typically rely on Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC takes the position that a failure to implement “reasonable” cybersecurity or privacy practices can constitute an “unfair” practice, and that making false or misleading statements about such practices can be a “deceptive” trade practice under the statute.
The FTC can enforce Section 5 in two ways. First, it can rely on its traditional administrative enforcement authority, which allows the FTC to initiate an administrative proceeding to issue an order to “cease and desist” violations of Section 5, but only provides for monetary relief in limited circumstances. Second, in certain situations the FTC can sue directly in federal court under Section 13(b) of the FTC Act. Although Section 13(b) authorizes only “injunctions,” the FTC often brings cases under this section in federal court seeking monetary relief under equitable doctrines such as restitution, disgorgement and rescission of contracts.
Until recently, courts universally accepted the FTC’s expansive view that its authority under Section 13(b) to obtain “injunctions” enables it to seek equitable monetary relief. But that has begun to change. In Credit Bureau, the Seventh Circuit rejected the FTC’s position that Section 13(b) authorizes monetary relief on the ground that an implied equitable monetary remedy would be incompatible with the FTC Act’s express remedial scheme. Most notably, the court observed that the FTC Act has two detailed remedial provisions expressly authorizing equitable money relief if the FTC follows certain procedures. The FTC’s broad reading of Section 13(b) would allow the agency to circumvent these conditions on obtaining equitable money relief, contrary to the intent of Congress. And in AMG Capital Management, although the Ninth Circuit considered itself bound to follow its prior precedent allowing the FTC to obtain money relief under Section 13(b), two of the three panel members joined a special concurrence arguing that this position is “no longer tenable.” And a decision from the Third Circuit last year, while not addressing whether the FTC is barred from pursuing money relief under Section 13(b), held that to pursue such relief the FTC must, at a minimum, allege facts plausibly suggesting that the company “is violating, or is about to violate,” the law.
If the Supreme Court restricts or eliminates the FTC’s pursuit of equitable money relief under Section 13(b), its decision would represent a significant setback for the FTC’s recent attempts to expand its remedial authority in privacy and cybersecurity cases, among others. In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning an FTC cybersecurity enforcement action, convincing the Eleventh Circuit that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019.) In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. The FTC has followed through on that promise in the ensuing years, pursuing a wide range of additional remedies, including equitable money relief. An adverse ruling by the Supreme Court could strike a severe blow to the FTC’s efforts on this front.
Such a ruling is entirely possible. Just last month in SEC v. Liu, the Supreme Court recognized limits on the disgorgement power of the Securities and Exchange Commission, determining that it is restricted to situations where the remedy does not exceed a wrongdoer’s net profits and is awarded for victims. However, unlike the FTC Act, the SEC Act specifically authorizes the SEC to seek “equitable relief.” Therefore, the consolidated AMG and Credit Bureau cases afford the Supreme Court an opportunity to recognize even greater restrictions on the FTC’s authority to obtain equitable money relief under Section 13(b) – or, as the Seventh Circuit did in Credit Bureau, to reject such authority altogether.
While in the short term such a ruling may reduce the monetary risks of FTC privacy and cybersecurity enforcement for companies collecting personal information, it could serve as a catalyst for a legislative proposal that would provide the FTC significant new authority to police privacy and security violations and assess civil penalties.
To discuss these cases in more detail, or for advice on the FTC’s privacy and cybersecurity enforcement program more generally, please feel free to contact any member of our privacy & cybersecurity team, which has immense experience in this area.
Whatever the outcome of Schrems 2.0, the key takeaway is, don’t panic.
Tomorrow, July 16, 2020, the European Court of Justice (CJEU) is expected to rule in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”.
The main ingredients haven’t changed much for this long-awaited sequel to the decision that invalidated the Safe Harbor regime in 2015: Austrian data protection activist Max Schrems, Facebook Ireland, Ltd, and another commonly used international personal data transfer mechanism on the chopping block for invalidation.
This time around the court is considering the validity of the Standard Contractual Clauses (SCC) adopted by the European Commission, which goes beyond EU-U.S. transfers and could affect most agreements governing data sharing between the EU and the rest of the world. Regardless of the outcome, tomorrow’s decision is going to have a profound impact on the way international data transfers are treated for years to come – but the key takeaway is not to panic. In this blog post, we have set out the three potential rulings open to the CJEU and what steps you can take to following such a ruling. READ MORE
A recent decision in Indiana highlights the data security liability risks facing employers based on the actions of their employees, extending vicarious liability even to cases where the employees were acting wholly for personal purposes. In SoderVick v. Parkview Health Sys., Inc., the Court of Appeals of Indiana reversed summary judgment in favor of the defendant, reviving claims of respondeat superior against Parkview Health Systems, Inc. (“Parkview”) where the hospital’s employee texted personal health information to a third party. No. 19A-CT-2671, 2020 WL 2503923 (Ind. Ct. App. May 15, 2020). We recently noted a decision of the Supreme Court of the United Kingdom in WM Morrison Supermarks plc v. Various Claimants (“Morrison”) where the Court made the contrary determination, ruling that the large supermarket chain Morrison could not be held vicariously liable as a matter of law for the intentional acts of a rogue employee who posted the payroll data of Morrison employees on the Internet. But as we also explained, businesses that collect personal information should be cautious about reading too much into that ruling: while the Court allowed the appeal in favor of Morrison, the decision turned on the particular facts of the case (where the rogue employee actively tried to damage his employer). The Parkview Health decision further underscores this need for caution, especially with increased remote work due to COVID-19 where the risk of employers being sued over security breaches caused by their employees is, unfortunately, ever-increasing. READ MORE
On May 5, 2020, the Seventh Circuit held in Bryant v. Compass Group USA, Inc. that a plaintiff who asserted a violation of the Illinois Biometric Information Privacy Act’s (“BIPA’s”) notice and consent requirements had Article III standing to pursue her claim in federal court. With respect to BIPA’s retention schedule posting requirement, however, the Seventh Circuit found that allegations of a statutory violation did not, on their own, suffice to confer Article III standing. This decision will make it easier for defendants to keep BIPA claims in federal court, and its standing analysis has significant implications for BIPA cases, as well as other privacy and data security cases more broadly.
On Monday, April 20th, the Supreme Court accepted cert in Van Burien v. United States to (hopefully) resolve a longstanding circuit split regarding the Computer Fraud and Abuse Act (or CFAA): Does an individual exceed authorized access when he or she accesses a computer contrary to a policy or agreement limiting access (i.e., accessing a computer for a purpose beyond those permitted by the company). READ MORE
Cybercriminals are known to attack networks and individuals at inopportune times of crisis—and the coronavirus pandemic unfortunately presents just such an opportunity as millions are accessing corporate networks and databases from home. This past weekend New Jersey and Connecticut joined the growing list of jurisdictions (e.g., California, Delaware, Illinois, Louisiana, Ohio, and New York) to issue orders effectively requiring non-essential workers to avoid the workplace, and in some cases, to shelter-in-place. READ MORE
On March 10, Orrick lawyers Shannon Yavorsky, Rebecca Harlow, Brett Cooper and Julie Totten recorded a discussion about COVID-19 operational issues associated with managing employees and businesses, including covering the topic of cyber vulnerability. The conversation shares insights into how COVID-19 is creating increased cybersecurity and privacy risks as companies prepare for the spread of the virus and are forced to adapt to a new way of doing business. This video is a segment from a one-hour CLE program entitled “The Early Legal Impact of COVID-19.” To view our video and the full length CLE click here. READ MORE