On January 21, 2019, the CNIL (the French data protection authority) issued a fine of €50 million to Google under the General Data Protection Regulation (the “GDPR”) for its failure to (1) provide notice in an easily accessible form, using clear language, when users configured their Android mobile device, and (2) obtain users’ consent to process personal data for ad personalization purposes. The CNIL’s enforcement action and resulting fine arose out of actions filed by two not-for-profit associations, None of Your Business and La Quadrature du Net. The fine was the first significant fine imposed by the CNIL under the GDPR and remains one of the highest fines to date. In determining the amount of the fine, the CNIL considered the fact that the violations related to essential principles under the GDPR (transparency and consent), the violations were continuing, the importance of the Android operating system in France, and the fact that the privacy notice presented to users covered a number of processing operations. Google appealed the decision. READ MORE
A recent decision in Indiana highlights the data security liability risks facing employers based on the actions of their employees, extending vicarious liability even to cases where the employees were acting wholly for personal purposes. In SoderVick v. Parkview Health Sys., Inc., the Court of Appeals of Indiana reversed summary judgment in favor of the defendant, reviving claims of respondeat superior against Parkview Health Systems, Inc. (“Parkview”) where the hospital’s employee texted personal health information to a third party. No. 19A-CT-2671, 2020 WL 2503923 (Ind. Ct. App. May 15, 2020). We recently noted a decision of the Supreme Court of the United Kingdom in WM Morrison Supermarks plc v. Various Claimants (“Morrison”) where the Court made the contrary determination, ruling that the large supermarket chain Morrison could not be held vicariously liable as a matter of law for the intentional acts of a rogue employee who posted the payroll data of Morrison employees on the Internet. But as we also explained, businesses that collect personal information should be cautious about reading too much into that ruling: while the Court allowed the appeal in favor of Morrison, the decision turned on the particular facts of the case (where the rogue employee actively tried to damage his employer). The Parkview Health decision further underscores this need for caution, especially with increased remote work due to COVID-19 where the risk of employers being sued over security breaches caused by their employees is, unfortunately, ever-increasing. READ MORE
Today, we are all facing a public health crisis unlike any other we have seen in our lifetime. In addition to serious consequences to global health, the COVID-19 pandemic has created significant disruption in the legal system and privacy law initiatives have not been immune to the virus’s impact. With many state legislatures nearing or at the end of legislative sessions taken over by pandemic priorities, state privacy bill initiatives across the country are grinding to a halt. However, some lawmakers are pushing forward with targeted proposals to protect individual privacy in the face of COVID-19 and some states, particularly California, continue public and private efforts to bolster privacy in their jurisdiction. Below is a summary of the 2020 privacy legislative efforts to date and the impact COVID-19 has had on their progress. READ MORE
On May 4, 2020, Californians for Consumer Privacy announced that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020 (“CPRA”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018 (“CCPA”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.
In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle. Here is a high-level summary of the key points addressed in each bill: READ MORE
On May 5, 2020, the Seventh Circuit held in Bryant v. Compass Group USA, Inc. that a plaintiff who asserted a violation of the Illinois Biometric Information Privacy Act’s (“BIPA’s”) notice and consent requirements had Article III standing to pursue her claim in federal court. With respect to BIPA’s retention schedule posting requirement, however, the Seventh Circuit found that allegations of a statutory violation did not, on their own, suffice to confer Article III standing. This decision will make it easier for defendants to keep BIPA claims in federal court, and its standing analysis has significant implications for BIPA cases, as well as other privacy and data security cases more broadly.
On April 7, 2020, the French Data Protection Authority (the CNIL) published on its website a Q&A on the right to de-listing. The right to de-listing enables a data subject to request from a search engine to remove one or several results provided when a search request is carried out using the data subject’s name and surname.
The timing of this publication is interesting as it took place a few days after the decision of the French Highest Administrative Court (the Conseil d’Etat) on the so-called Google case.
On Tuesday, Washington Governor Jay Inslee signed into law legal restrictions on the use of facial recognition by public agencies (SB 6280), while the Washington Legislature previously reached an impasse on the proposed Washington Privacy Act (SB 6281) due to a few big ticket items, particularly whether the Act would be enforceable via a private right of action for Washington residents. READ MORE