Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable protections on the processing and cross-border transfer of their data, it is not an automatic shield from the demands of U.S. state or federal laws that require the preservation, collection, and potential disclosure of any documentation relevant to a matter – regardless of where it originates or to whom it relates.

The process of U.S. discovery that requires the transfer of potential evidence originating or stored in the EU to the U.S. will often trigger obligations under the GDPR where it involves the processing and cross-border transfer of personal data. While previous cases have shown U.S. courts to be reluctant to allow foreign laws to be a barrier to U.S. discovery, two recent cases have provided insight on the U.S. courts’ approach when dealing with the GDPR in this context.
Continue Reading GDPR vs. U.S. discovery: The conflict continues

Although the California Consumer Privacy Act (CCPA) specifically precludes private lawsuits except for those resulting from certain data breaches, that has not stopped at least one plaintiff from bringing a putative class action based on an alleged CCPA violation.

A proposed class action was filed on February 27, 2020, in the Southern District of California against Clearview AI (Burke v. Clearview AI, Inc., S.D. Cal., No. 3:20-cv-00370-BAS-MSB). The complaint alleges that Clearview’s facial recognition technology – which scrapes, without notice or consent, social media websites for images of consumers’ faces – violates, among other laws, both the CCPA and the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, Clearview’s facial recognition software uses the billions of scraped images in its database to generate a type of biometric information, known as a “faceprint,” to match a face to other personally identifiable information; it then sells access to the faceprint database to law enforcement agencies and private companies. The complaint charges that Clearview improperly collected personal information without properly notifying consumers.Continue Reading CCPA litigation is here: putative class action filed for alleged notice and collection violations

2019 signalled significant growth in both regulatory focus and litigation involving biometric privacy. The passage of the California Consumer Privacy Act (CCPA), the addition of biometrics to numerous state data breach notification laws (including New York), and continued class action lawsuits emanating from Illinois’ Biometric Information Privacy Act (BIPA) made biometrics a trend line in 2019 that shows no signs of slowing down in 2020. State legislatures will continue to take note of BIPA’s impact in Illinois and will watch closely as the CCPA is effective as of January 1, 2020, taking cues as to whether or how to implement statutory and regulatory frameworks for biometrics in their own states. Organizations that collect and use consumer or employee biometric data should be aware of their obligations and be on the lookout for more activity on both the regulatory compliance and litigation fronts in the new year.

BIPA provides an express private right of action for consumers who claim that their biometric privacy rights have been violated. In January of 2019, the Illinois Supreme Court affirmed this right when it ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff need only allege a violation of BIPA, not an allegation of actual harm, in order to plead a claim under the Act. Since this decision, BIPA has continued to spawn an onslaught of biometric privacy class actions.Continue Reading Biometric privacy: The year in review and looking toward 2020

An attempt to bring legal action against Google for its alleged tracking of an estimated 4.4 million iPhone users in 2011 and 2012 has been blocked by the UK High Court (the court).

Campaign group “Google You Owe Us” brought the claim as a representative action on behalf of the affected individuals (the class) in 2017. It is thought to be the UK’s first mass legal action of its kind.

The case

Google You Owe Us argued that Google breached its duty under the Data Protection Act 1998 by circumventing the default settings in Apple Safari, placing cookies on the browser to track user’s movements, and using the collected data to sell advertisements. The decision is still relevant to the Data Protection Act 2018.

In an application for permission to serve the claim on Google in the United States, the High Court was required to determine, amongst other things, whether the claim had a reasonable prospect of success.

Justice Warby acknowledged that Google may have breached its duty. He said: “There is no dispute that it is arguable that Google’s alleged role in the collection, collation and use of data obtained via the Safari Workaround was wrongful, and a breach of duty.”Continue Reading High Court blocks data privacy claim against Google

In anticipation of the implementation of the Trade Secrets Directive, the topic of know-how protection has been widely discussed. Dr Anette Gärtner, along with Sabrina Gossler, has written an article which explores the current legal situation in Germany, analyses the relevant provisions of the Directive and explains the immediate next steps for companies operating in