1 / 27

Digital Privacy and Data Protection

Digital Privacy and Data Protection. ACC Colorado Happy Hour CLE March 13, 2014. Presenters. Tom Leland - Partner and Co-Chair, Business Litigation Team, Lathrop & Gage LLP, Denver

yoko
Download Presentation

Digital Privacy and Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Digital Privacy and Data Protection ACC Colorado Happy Hour CLE March 13, 2014

  2. Presenters • Tom Leland - Partner and Co-Chair, Business Litigation Team, Lathrop & Gage LLP, Denver • Bryan Clark – Associate, Digital Privacy and Data Protection Practice Group, CIPP/US, Lathrop & Gage LLP, Chicago • Michael Jones – Global Privacy Program Manager, CIPP/US, Monster Worldwide, Inc., Boston

  3. Overview of Agenda • United States statutory framework • EU privacy framework • Technological background • Recent regulatory developments • Recent litigation developments

  4. Key Privacy Laws in the United States • Graham Leach Bliley Act for financial information • Health Information Portability and Accountability Act (HIPAA) for health information • FTC Act for all other personal information • Section 5 prohibits unfair or deceptive trade practices

  5. EU Privacy Laws and Directives • Privacy is a fundamental human right • Data Protection Directive 95/46/EC • Not prescriptive • Required each member country to pass a data protection law • Directive on Privacy and Electronic Communication 2002/58 • Amended by Directive 2009/136 (“Cookie Directive”)

  6. Privacy in the EU • Differs from privacy in the US • In the US, little privacy rights in public • In the EU, right to privacy extends farther • Consent based model • Convictions of Google executives in Italy • Google fought Spain’s AEPD in EU court over forced removal of names from Google search results. Google ultimately won

  7. Data Transfers • EU generally prohibits transfer of personal information outside of the EU • Enter Safe Harbor • Negotiated by the US Department of Commerce • US orgs voluntarily agree to EU standards in exchange for being permitted to export personal data to US

  8. Social Networking • Marketing • CAN-SPAM • Canada’s Anti-Spam Legislation (CASL) • Takes effect on July 1, 2014 • Prohibits sending unsolicited commercial electronic messages • More stringent than CAN-SPAM • Employment • Many states have prohibited requesting social media account credentials as part of a job application • False friending – “A lawyer may not attempt to gain access to a social networking website under false pretenses, either directly or through an agent”– NY State Bar Association – Formal Opinion

  9. Social Networking • CAN-SPAM • National Labor Relations Act • Costco Wholesale Corp., 358 NLRB No. 106 (Sept. 7, 2012) • Costco employee handbook stated “statements posted electronically (such as [to] online message boards or discussion groups) that damage the Company, defame any individual or damage any person’s reputation, or violate the policies outlined in the Costco Employee Agreement, may be subject to discipline” • NLRB found this policy was overbroad because is has a tendency to inhibit protected employee activity • Lesson: ensure social media policy does not prohibit any protected activity

  10. Online Advertising • Beacons, and cookies, and trackers, oh my!

  11. User Tracking

  12. Tracking Technology

  13. Ad Network Advertiser User enters URL into browser 6 • User’s computer contacts ISP’s DNS to resolve URL into an IP address 5 • User’s browser contacts IP address 7 • HTML builds site, including instructions for user’s computer to contact ad server 3 4 User • User transmits cookie data to ad network Website (Publisher) 2 1 • Ad network chooses advertiser to match cookie • Ad network serves targeted ad ISP

  14. Trends and Initiatives in OBA

  15. Data Security • Several states have data security laws: CA, MA, TX • 46 states have breach notification laws • Financial account information, state-issued identification number, SSN • Federal data security standard set by NIST Special Publication 800-53 (Rev 4) • Currently voluntary standard

  16. Encryption

  17. Security Trends in Privacy • Encryption • Role based access • Limiting access to those who need it • Information-centric security • Protecting information based on type of data, not location of data • Increased attention to authentication • Token protection • APIs that let you interact with a site while on a third party site (e.g., Facebook’s “like” button)

  18. Recent Regulatory Developments • Points of emphasis for FTC • Comments from Commissioner last week • New regulations under Telephone Consumer Protection Act, 47 U.S.C. 227 (“TCPA”) • Went into effect October 16, 2013 • Written express consent is the key

  19. Recent Litigation Developments • Article III standing • Mooting • Attempts to strike class allegations pre-discovery • Hobbs Act • Implied consent • ATDS/capacity • Confirmatory opt-out

  20. Article III Standing • Under Article III, a plaintiff must allege facts sufficient to show (1) injury in fact, (2) causation, and (3) redressability. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). • LaCourt v. Specific Media, Inc., 2011 WL 1661532, at *5 (C.D. Cal. Apr. 28, 2011) (“If Plaintiffs are suggesting that their computers’ performance was compromised . . . they need to allege facts showing that this is true.”). • Yunker v. Pandora Media, Inc., 2013 WL 1282980, *5-6 (N.D. Cal. March 26, 2013) (reasoning in part that amorphous claims of decreased memory space and potential future harm were insufficient to establish standing).

  21. Mooting • “[O]nce the defendant offers to satisfy the plaintiff’s entire demand, there is no dispute over which to litigate, and a plaintiff who refuses to acknowledge this loses outright . . . because [he] has no remaining stake.” Damascov. ClearwireCorp., 662 F.3d 891, 895 (7th Cir. 2012). • “If an intervening circumstance deprives the plaintiff of a ‘personal stake in the outcome of the lawsuit,’ at any point during litigation, the action can no longer proceed and must be dismissed as moot.. . . [T]he mere presence of collective-action allegations in the complaint cannot save the suit from mootness once the individual claim is satisfied.” Id. at 1529. Genesis Healthcare v. Symczyk, 133 S.Ct. 1523, 1528-29 (2013).

  22. Striking Class Allegations • Theory is to attack class allegations and defeat certification before expending significant resources in discovery. • Approach has had limited success, but it is gaining some traction lately. • See, e.g., Labou v. Cellco Partnership, 2014 WL 824225 (E.D. Cal. March 3, 2014)

  23. Hobbs Act • The question here is the degree to which the Court can rule on FCC interpretations (such as whether a text message is a call under the TCPA). • The Hobbs Act provides in part that “[t]he court of appeals ... has exclusive jurisdiction to enjoin, set aside, suspend (in whole or in part), or to determine the validity of all final orders of the Federal Communications Commission made reviewable by section 402(a) of title 47.” 28 U.S.C. § 2342(1). • Courts have treated this in different ways. Compare Leyse v. Clear Channel Broadcasting, Inc., 697 F.3d 360 (6th Cir. 2012) (“A case that is not a proceeding to enjoin or annul an FCC order lies outside the ambit of [the Hobbs Act]”); Nack v. Walburg, 715 F.3d 680 (8th Cir. 2013)(holding that the court is bound by the FCC interpretation of the TCPA because of the Hobbs Act).

  24. Implied Consent (TCPA) • A hot issue in the TCPA context is whether a consumer can give consent to receive a text message by providing his or her cell phone number. • Baird v. Sabre, Inc., 2014 WL 320205 (C.D. Cal. Jan. 28, 2014), was one of the most recent federal decision to hold that provision of a cell phone number is consent to receive a text message. • Other cases to watch: Coca-Cola cases in S.D. Cal. and N.D. Ala.

  25. ATDS/Capacity (TCPA) • Another key issue in TCPA cases relating to the autodialer provision is whether the equipment at issue has merely the “capacity” to autodial, or whether that capacity is actually being used. • Gragg v. Orange Cab Co., 2014 WL 801305 (W.D. Wash. Feb. 28, 2014) is one of the most recent authorities in this area and holds that mere capacity is not enough. • However, many courts have held (based on the strict statutory language) that capacity is all that is required.

  26. Confirmatory Opt-Out (TCPA) • Mixed results. • Ibeyv. Taco Bell Corp., Case No. 12-cv-0583 (S.D. Cal.): Dismissal where case was based on single, confirmatory text. • Ryabyshchukv. Citibank (South Dakota) N.A., Case No. 11-cv-1236, (S.D. Cal.): Denying motion to dismiss where case was based on single, confirmatory text.

More Related