Data Privacy in a Time of Reaction: "Big Data" versus "The People"

by White & Case LLP
Contact

White & Case LLP

1. Data privacy concerns entwined with anti-globalization

Anti-globalization has become a serious theme in Western countries. Right-wing and left-wing political movements converge on the issue. Centrist elites acknowledge that the great wave of borderless commerce since the end of the Cold War has imposed unanticipated, serious harm on local work forces.

Recent political developments around the world underscore the trend.  A consensus is developing that something must be done, with no agreement on what. In addition, the nature of security risks has changed: both terrorism and financial and industrial crime increasingly inhabit the shadow world created by the Internet. At a base level, substantial constituencies are now re-examining the main economic drivers of the modern world, with potentially severe political and commercial ramifications.

The same dynamic of expansion and reaction is now confronting the movement of data. On the one hand, most people recognize the benefits of technology.  On the other hand, many scapegoat technology as the problem. "Security" and "privacy" are the surrogate targets for these concerns. They exert the same rallying power as "jobs," "income equality" and "immigration." The "cloud" and "networking" may inspire the same suspicions as "outsourcing" and "free trade." However, there is a major difference—there are no simple fixes for macroeconomic trends; but there is a sense that there are available methods to address privacy concerns. These include law, regulation, computer mechanics and cyber warfare.

Concern about data privacy and security, whether for intrinsic reasons or as a vehicle to advance other agendas, has been building as a result of various high-profile incidents, including the multiple reports of vast commercial hacking, Snowden's exposé of government surveillance activities, and cyber breaches of sensitive government personnel data. The tipping point may have been reached as a result of the presumptive Russian/WikiLeaks involvement in the US political process. Until those events occurred, "hacking" was considered something that occurred largely outside of the overt political sphere, instead impacting private institutions (such as banks) and individuals (suffering identity theft) or occurring behind the closed doors of national security agencies. The extraordinary infiltration and disclosure of data from the Democratic Party, campaign officials and current and former US national leaders is vivid and tangible. Everyone can understand "if it can happen to them, it can happen to me."  In this environment, data privacy and security issues may be manipulated, and related violations penalized, based on economic or political motivations.

2. US and EU approaches to data privacy have differed, but are converging

While there is no express general right to privacy in the US Constitution, several of its provisions (in particular, in the Bill of Rights) protect specific aspects of an individual's privacy,i and the Fourteenth Amendment is often interpreted (despite some prominent opponents ii) as guaranteeing a fairly broad right to privacy; spawning several seminal Supreme Court cases.iii In addition, many US states recognize related torts, such as for invasion of privacy and protection of rights of publicity. In Europe, privacy has a long tradition as a fundamental human right. It is enshrined in the European Union's Charter of Fundamental Rights, which is enforced by a dedicated Court of Human Rights and is the cornerstone for a plethora of related privacy law, regulation and cases.

However, historically, the approach taken by each jurisdiction to the privacy of data about individuals has differed. The data privacy regime in the European Union ("EU") reflects the "fundamental human right" approach and generally expects "privacy by default." In contrast, the US has tended to focus instead on the constitutional right to free speech, transparency and the people's "right to know." In the EU, any encroachment on overarching, universally applicable rights to privacy of an individual's data requires a specific justification, rationale or "lawful basis." In the US, by contrast, any assertion of an inherent right to data privacy generally requires specific law-making or expanded interpretations of existing law (whether by legislatures, regulators or courts) to "create" a right that does not otherwise exist. The EU has an omnibus data privacy regime, applicable in all industries and to all businesses,iv while the US has a patchwork of laws and precedents in specific areas such as health care, higher education and financial services.v When it comes to the consent of an individual to the collection of data about them, the US takes more of a libertarian view, so individuals are largely considered freely able to give consent to any use of their data by any means and in any circumstances, while in the EU, an individual's consent can be challenging to establish and rely upon in certain circumstances (perhaps most notably within the employer-employee contextvi).

When it comes to international business and relations, particularly across the Atlantic, these differences in approach and legal regime create tension. EU citizens and other stakeholders bemoan a lack of respect for EU data privacy laws by US businesses and government. EU courts have declared that the US does not provide "adequate protection" of personal datavii and in response have stretched territorial concepts to the limit in an effort to make global businesses headquartered outside the EU subject to EU data privacy laws.viii EU regulators have "upped the ante" by introducing new regulations with maximum fines based on a percentage of a business's worldwide revenues.ix Meanwhile, US businesses, which at home (outside certain sectors) have generally been free to use and monetize personal data as they see fit, unless there is a contract or law that specifically prevents them from doing so, have been frustrated by the EU legal regime and have been deterred from doing business in Europe. This is because the EU legal regime appears to many US businesses as introducing draconian and often entirely new compliance obligations. From a US perspective, the European approach jeopardizes profits and even existing business models, appears in a constant state of flux, and calls into question or invalidates entirely compliance mechanisms that were once considered adequate.x

Notably, the legal (and political) balance has appeared at times to be shifting to the European approach to data privacy. In order to facilitate transatlantic data transfers, the US government recently made significant concessions on issues like the surveillance and rights of EU citizens to litigate data privacy complaints in US courts.xi In addition, while there is currently no EU-style omnibus data protection law, there have been several moves to introduce one.

3. New privacy protection measures are rising in the US

The "holes" in the US patchwork grow smaller every day, with the regular introduction of new state and federal data privacy laws governing different issues, not to mention the FTC's increasingly active role in enforcing consumer data privacy and cybersecurity rights, under the general umbrella of "unfair or deceptive" trade practices. There have also been several recent examples of a policy shift by big business in the US towards "privacy-first" principles as a compelling consumer offering, even in the face of demands for cross-border disclosurexii and calls for decryption of consumer data in extremely dramatic scenarios. Finally, the plaintiffs' class action bar has shown a growing interest in damages cases for hacking and negligence on the part of hacked businesses.xiv

Government enforcement of law and policies is often the front line. However, there is a more serious enforcement mechanism at hand.xv The US pioneered the use of private litigation for the enforcement of public policy. Beginning over a hundred years ago with antitrust enforcement, followed by securities fraud, organized crime,xvi corporate corruption,xvii and, most recently, terror financing, the private right of action has been a mainstay of US policy and jurisprudence. It is the substantive and economic basis of a large part of the US legal profession. While its use in the data privacy context has been limited so far, and many cases get dismissed for lack of common injury or harm, there has been much discussion about this situation, and it is likely only a matter of time before there are new laws to address the issue.xviii New legislation, together with existing laws and case precedent, dramatically increases the pool of potential litigants and offers them ever more fertile opportunities to sue for data privacy incursions and violations, whether because of external hacking or internal mishandling (whether intentional, reckless or negligent). Government and private litigation often cooperate in pursuing enforcement targets, where the governmental parties seek criminal or civil penalties and the private plaintiffs seek money damages. This powerful combination can pose extreme, possibly existential risk for business defendants. And this is the likely future for privacy enforcement.

4. Takeaways

There are many possible scenarios of business risk in the constantly evolving landscape of data privacy rights, cyber threat capabilities, and regional economic and political interests.  As a result, implementing a robust data privacy regime requires more than solid data management and security practices.  A company's global market strategy increasingly must anticipate how data collection, use, and transfer restrictions are likely to change over time, and data privacy and security programs must be designed to respond to those changes faster than the competition.

i E.g., Privacy of beliefs (1st Amendment), privacy of person and possessions against unreasonable searches (4th Amendment), privilege against self-incrimination, i.e., privacy of certain personal information (5th Amendment).
ii E.g., Judge Robert Bork.
iii E.g., Meyer v. Nebraska, 262 U.S. 390 (1923), Pierce, Governor of Oregon, et al. v. Society of the Sisters of the Holy Names of Jesus and Mary, 268 U.S. 510 (1925), Griswold v. Connecticut, 381 U.S. 479 (1965), Roe v. Wade, 410 U.S. 113 (1973).
iv See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), and related EU legislation including Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications), Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.  See also Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), which, as well as repealing the Data Protection Directive, amends the Directive on Privacy and Electronic Communications.
v See, e.g., Health Insurance Portability and Accountability Act ("HIPAA"), 42 U.S.C. § 300gg, 29 U.S.C § 1181 et seq. & 42 USC § 1320d et seq.(1996); Health Information Technology for Economic and Clinical Health ("HITECH") Act, 42 U.S.C. § 300jj et seq. & § 17901 et seq. (2009); The Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. § 1232 (1974); Gramm-Leach-Bliley Act ("GLBA"), 15 U.S.C. § 6801 et seq.(1999); Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq. (1970).
vi It is generally understood that an employer in the EU may be unable to obtain genuine consent from employees to process their personal data, on the ground that those employees might not, realistically, be able to refuse to consent (leaving such employers to pursue other options for legitimizing the processing of employee personal data). See, e.g., the fifteen year-old Article 29 Data Protection Working Party Opinion 8/2001 on the processing of personal data in the employment context ("If it is not possible for the worker to refuse it is not consent" and "where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data it is misleading if it seeks to legitimise this processing through consent".)
vii Case C-362/14 Maximillian Schrems v. Data Protection Commissioner.
viii Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, 2014 E.C.R. 317; Case C‑230/14, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, 2015.
ix General Data Protection Regulation, supra note iv, Article 79.
x See, e.g., "European Court of Justice Invalidates EU-US 'Safe Harbor' Pact," (Oct. 14, 2015); New Threats to Transatlantic Data Flows as Model Clauses Come Under Fire (June 9, 2016); EU-U.S. Privacy Shield Challenged,  (Nov. 2, 2016).
xi Judicial Redress Act of 2015, H.R. 1428, 114th Congress (2015-2016) (enacted). And see ANNEX A: EU-U.S. Privacy Shield Ombudsperson Mechanism, and, regarding Privacy Shield more generally, EU-U.S. Privacy Shield approved,(Jul. 12, 2016).
xii See, e.g., Microsoft Corporation v. United States of America, No. 14-2985 (2d Cir. 2016).
xiii See, e.g., Matt Zapotosky, "FBI Has Accessed San Bernardino Shooter's Phone Without Apple's Help," (March 28, 2016), Contrast with this example of the approach taken by a foreign government, with China moving to require technology suppliers to disclose their proprietary source code, to prove their products cannot be compromised by hackers.
xiv See, e.g., Dominic Patten, "Sony Hack Class Action Settlement Gets Final Approval," (April 6, 2016, 10:36 AM), ("the total price tag to Sony [from litigation arising out of a Nov. 24, 2014 data breach] is around $15 million, with a max of $10,000 per individual plus around $1,000-$3,000 to the group of initial plaintiffs"); Charles Riley & Jose Pagliery, "Target Will Pay Hack Victims $10 Million," (March 19, 2015: 3:05 PM ET), ("Target will pay customers who suffered from a 2013 data breach up to $10,000 each in damages.")
xv E.g., the Financial Crimes Enforcement Network, a bureau of the US Department of the Treasury, is empowered to enforce domestic laws prohibiting money laundering, terrorist financing, and other financial crimes. A federal district court in Minnesota also recently held that the Bank Secrecy Act (BSA) permits FinCEN to bring suit against individuals for willfully violating the BSA's anti-money laundering requirement, see, U.S. Dep't of Treasury v. Haider, No. 15-CV-01518, 2016 WL 107940 (D. Minn. Dec. 18, 2014).
xvi Racketeer Influenced and Corrupt Organizations Act ("RICO"), 18 U.S.C. §§ 1961–68 (1970).
xvii E.g., False Claims Act, 31 U.S.C. §§ 3729–33 (amended 2009); Foreign Corrupt Practices Act ("FCPA"), 15 U.S.C. § 78dd-1 et seq. (1977).
xviii Justice Against Sponsors of Terrorism Act ("JASTA"), Pub.L. 114–222, 114th Congress (2015­­–2016) (enacted); Judicial Redress Act, supra note xi.

Alan Gover, a Retired Partner of White & Case also assisted in the development of this publication.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP
Contact
more
less

White & Case LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!