Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling in In re: Michaels Stores, Inc., Fair Credit Reporting Act (FCRA) Litigation confirms the significance of the Spokeo decision and also provides FCRA defendants with additional ammunition to use in fighting statutory violation claims where damages are lacking.

The Michaels suit was based upon the consolidation of three proposed class actions alleging the store failed to clearly and conspicuously announce its intent to obtain background checks in a separate document containing only that disclosure, which was in violation of the FCRA. Instead of providing a standalone document, Michaels did disclose that it would be obtaining such checks as part of its online employment application. The complaints in the class pointed to 15 U.S.C. § 1681b(b)(2)(A), which directs that an employer may not procure a consumer report for employment purposes without providing a “clear and conspicuous disclosure…in a document that consists solely of the disclosure….” Continue Reading

NIS Directive to be implemented in UK despite Brexit

In January, the UK government confirmed that it will be implementing the EU’s Network and Information Security Directive (NIS Directive) regardless of Brexit. EU countries have until 9 May 2018 to implement the Directive into their national laws. Given Brexit, the UK government confirmed in its Cyber Security Regulation and Incentives Review that details of the UK’s implementation of the NIS Directive will be released in 2017. Continue Reading

UK Reaffirms Commitment to GDPR while ICO Increases its International Focus

At the beginning of February, the Minister of State responsible for digital and culture policy, Matt Hancock, reaffirmed the UK’s commitment to implementing legislation mirroring the General Data Protection Regulation (GDPR), and ensuring the uninterrupted flow of personal data between the UK and EU post Brexit.

Reaffirmed Commitment to the GDPR Continue Reading

Trump Executive Order Spooks Privacy Shield Adherents and Privacy Community

Data protection and privacy officials and interest groups across the globe produced a flurry of activity on social media this week. Countless tweets, blogs and articles have responded to President Trump’s executive order directed at Enhancing Public Safety, signed during his first full week in office.

The new U.S. executive order

The order, which is chiefly aimed at immigration-related activity, also limits privacy protection under the United States Privacy Act of 1974 to U.S. citizens and permanent residents of the United States – at least to the extent permitted by law.

Section 14 of the Enhancing Public Safety order reads:

“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

While initial concerns were raised about the potential negative impact that this order might have on the newly agreed-upon Privacy Shield – raising fears that non-Americans (and their personal data) would have their privacy protected less by American companies relying upon the Privacy Shield, and therefore the future of the Privacy Shield could be at risk – EU regulators responded quickly, putting most of these fears to rest.

In its response, the European Commission released a statement that provided clarity as to the limited impact that the order is likely to have on Europeans’ data protection rights.

Initially, the Commission pointed out that the EU-U.S. Privacy Shield places no reliance on the protections under the U.S. Privacy Act. The U.S. Privacy Act is only relevant to EU residents in instances when their data is sent directly to U.S. law enforcement bodies. The Privacy Act of 1974 governs the collection, use and disclosure of personal data by the United States government in its interactions with the government directly. It does not come into play in relation to business-to-business international transfers of data.

Secondly, the Commission pointed out that it is by way of other U.S. legislation (namely, the incoming EU-U.S. Umbrella Agreement and the U.S. Judicial Redress Act), that Europeans are granted the benefits of the U.S. Privacy Act and are provided access to U.S. courts.

It is also noted that one of the final acts of the outgoing U.S. attorney general was to sign a notice that extends U.S. Privacy Act remedies to 26 countries, in addition to the EU.

Privacy Shield unaffected

Despite the exclusionary language of the executive order, the order does not alter the applicability of the U.S. Privacy Act for EU citizens, nor does it have a direct legal impact on the adequacy of the Privacy Shield.

The intentions behind the order may raise concerns about the future of the Privacy Shield, which is not without its detractors on both sides of the pond. With a challenge brought before the European courts in 2016 by Digital Rights Ireland, the Privacy Shield has gotten off to a rough start in its first year of implementation.

Perhaps the most important signal of the order is the likelihood of substantial change in policy direction by the new administration on privacy and data protection matters. For example, whether the perceived goals of the order, limiting procedural and other substantive protections of U.S. law to citizens, might be extended to other laws providing significant data protection for financial institutions (GLBA), health care and insurance (HIPAA), and telecommunications (CPNI), or elsewhere remains unclear.  Much of the initial outcry regarding the broader direct implications of the order could be attributed to a lack of widespread understanding of the Privacy Act of 1974 and its applicability.  Nonetheless, the order itself, and the early actions of the new administration, will be watched carefully by technology and other businesses as it remains clear that the actions of policymakers in Washington can have an immediate, and sometimes material impact, on businesses reliant on international data transfers and processing.

Despite these initial hiccups, though, the Privacy Shield remains fully intact.

Article 29 Working Party adopts its 2017 Action Plan

In early January, the Article 29 Working Party (WP29) adopted its 2017 Action Plan (Action Plan) on the implementation of the General Data Protection Regulation (GDPR).

Amongst the actions proposed, the Action Plan provides a list of guidelines to be published throughout the year; which are set to cover: Continue Reading

Building the EU data economy: time for an upgrade?

The EU Commission recently launched a Public consultation on Building the European data economy. The objective behind the consultation is to feed into the Commission’s future policy agenda on the European data economy in 2017.

The data economy

In its Communication entitled “Building a European Data Economy,” the Commission has re-identified (from its 2012 Communication) the need to upgrade the EU’s legal regarding the trade of data. Continue Reading

“Do as I say, not as I do”: A business specialising in blocking unsolicited marketing calls is fined for making unsolicited marketing calls

“Do as I say, not as I do”

It is difficult to miss the irony of the ICO’s first-awarded fine for nuisance calls since taking over the Telephone Preference Service (TPS), as reported in our earlier blog in December.

IT Protect Ltd., a Bognor Regis firm in the business of selling a call-blocking device that purportedly stops unwanted marketing calls, was fined £40,000 on 11 January by the ICO for making nuisance calls. After more than 30 complaints were received, the ICO investigated and found that IT Protect Ltd. had been making unsolicited marketing calls for more than a year to people registered with the TPS. Continue Reading

Ajit Pai Appointed Chairman of the FCC – Expect Change

In one of his earliest official acts, President Trump appointed FCC Commissioner Ajit Pai as the long-term Chairman of the FCC. While many thought Commissioner Pai was the most likely candidate to be named interim Chairman of the Commission, President Trump skipped the interim step and immediately appointed Chairman Pai on a long-term basis. This decision is significant because it eliminates the need for the Senate to confirm Chairman Pai. While the appointment of a new FCC Commissioner requires Senate confirmation, the president has the authority to name the chairman from existing FCC Commissioners with no further action required. For the time being, Chairman Pai will head a three-member, Republican majority panel consisting of fellow Republican Commissioner Michael O’Rielly and Democrat Commissioner Mignon Clyburn. There are currently two vacant seats on the five-member Commission.

While it is difficult to predict the exact course in which Chairman Pai will lead the Commission, one thing is certain: under his leadership, the FCC will be vastly different than under previous Chairman Tom Wheeler.

As a Commissioner during the Obama administration since 2012, Chairman Pai strongly dissented to most of the significant rulemaking proceedings championed by former Chairman Wheeler. Notably, Chairman Pai was adamantly opposed to adoption of the 2015 “Open Internet” Order, as well as the subsequent Broadband Privacy Order of 2016.

Continue Reading

Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had no duty of care to protect the compromised information was based upon a thorough analysis of factors the Pennsylvania Supreme Court has established for determining the existence of a duty.  The dissent analyzed the same factors but argued that on balance, they weighed in favor of finding a duty. Continue Reading

Switzerland and the United States Agree Privacy Shield Framework

The governments of Switzerland and the United States finalised the Swiss-U.S. Privacy Shield Framework on 11 January. The Framework is similar in many respects to the EU-U.S. Privacy Shield, and replaces the U.S.-Swiss Safe Harbor Framework with immediate effect.

Background Continue Reading