2020 has been a busy year in privacy law both domestically and around the globe. Some of the most striking developments included enforcement of the California Consumer Privacy Act (CCPA) and passage of the California Privacy Rights Act (CPRA) expanding the CCPA; the invalidation of the U.S.-EU Privacy Shield Framework in July; the introduction of a new model for assessing the legitimacy of international data transfers and multiple new standard contractual clauses to govern those transfers; the EU’s introduction of the Digital Services Act and the Digital Markets Act for debate and review; and the passage of legislation closely mirroring Europe’s General Data Protection Regulation (GDPR) in multiple countries, including China and Brazil. As a complement to Kramer Levin’s practice on Cybersecurity, Privacy and Data Protection, we regularly publish client alerts on important developments. For your convenience, we have collected our 2020 client alerts in one place, while looking ahead at issues to monitor in 2021.
Legislative and regulatory developments
Both in the U.S. and internationally, legislation on privacy and data security has changed in important ways over the past few years. Regulatory frameworks supporting or complementing privacy and data security legislation have also developed at a rapid pace. 2020 saw an acceleration in these areas. In chronological order, some of the more significant U.S. regulatory frameworks this year included the CCPA, the SHIELD Act, and the CPRA. Abroad, significant privacy developments came from the courts as well as the legislatures, particularly around the topic of international data transfers.
CCPA takes effect in January 2020
January 2020 saw the implementation of the California Consumer Privacy Act, which introduced new obligations on businesses and granted new rights to consumers regarding their personal information:
- Right to Notice Before Collection
- Right to Know What Has Been Collected
- Right to Know What Is Sold or Disclosed, and to Whom
- Right to Deletion
- Right to Opt Out of Sale
- Right to Nondiscrimination or Equal Service and Price
Only California residents can exercise these rights through a data subject access request, or DSAR, and the CCPA allows a company to deny a request if it must do so to comply with federal, state or local laws. For more details, see our February article.
Certain SHIELD Act provisions take effect in March 2020
Landmark pieces of legislation can take time to implement. For example, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed into law in July 2019, but some parts of it only became effective in 2020. Kramer Levin’s privacy and data security team considered what the new data security requirements could mean for businesses — particularly non-New York businesses that hold New York resident data — in this June article.
The impact of the SHIELD Act is twofold. First, companies must disclose data breaches — as defined under the act to include unauthorized access as well as acquisition, which could include ransomware attacks — and must report to the New York regulators if a breach occurs. Second, companies must also implement safeguards to protect the security, confidentiality and integrity of private information (i.e., companies subject to the SHIELD Act must have a data security program). While the act does not establish specific requirements, it lists various practices that are considered reasonable administrative, technical and physical safeguards. For each safeguard, the act lists actions or procedures a company should consider implementing. Businesses should also note that service providers that have access to personal data of the company’s employees or customers or that in some way might provide an entryway to the company’s network or systems will be held to the same standards and best practices.
California Privacy Rights Act of 2020 expands scope of the CCPA
Less than a year after the CCPA took effect, California voters passed Proposition 24, an amendment to the CCPA known as the California Privacy Rights Act of 2020. Notable changes include updated restrictions on information sharing, an expanded definition of “personal information,” the inclusion of a new category of “sensitive personal information,” the consumers’ right to demand their personal information be corrected, and stronger protections for minors. The CPRA also extended the CCPA’s exemption of employee data and business-to-business (B2B) data until Jan. 1, 2023, giving employers and B2B data processors more time to implement compliance with CCPA and CPRA obligations; however, the CCPA and the CPRA still require employers to provide their California-based employees with privacy notices that disclose what information is collected and how it is used. Lastly, the CPRA established a dedicated enforcement agency, which broadens enforcement as the attorney general’s office admitted it could only prosecute a few cases per year under the CCPA. More information is available in our November client alert.
European Court of Justice invalidates U.S.-EU Privacy Shield Framework in July
In July, Europe’s highest court, the European Court of Justice (ECJ), invalidated the U.S.-EU Privacy Shield Framework in a decision commonly known as Schrems II (because it is the second major court decision involving Max Schrems, a prominent Austrian privacy activist, as plaintiff). As we noted earlier this year, with the framework being struck down, companies must use other mechanisms recognized by the GDPR to appropriately safeguard personal data transfers, including utilizing standard contractual clauses in data transfer or protection agreements. Since our article was published, the EU released additional guidance (discussed below) on data transfers from the EU to a third country.
Shortly after the ECJ decision, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) also deemed the Swiss-U.S. Privacy Shield inadequate to afford the appropriate level of data protection. The FDPIC isn’t a court, however, and doesn’t have the authority to strike down the regime. As of writing this update, the Swiss-U.S. Privacy Shield is still in effect.
European Data Protection Board provides a data security checklist for international data transfers; European Commission proposes draft decision on standard contractual clauses
European regulators rushed to provide more guidance amid the uncertainty caused by the ECJ’s July invalidation of the U.S.-EU Privacy Shield Framework. The details are available in our November client alert, but the essential elements are laid out here.
For its part, the European Data Protection Board (EDPB) outlined a process for ensuring data protection compliance with the EU’s GDPR for EU residents’ personal data that is transferred internationally. The guidance provides a series of steps to follow and includes an overall focus on assuring that the transferred data cannot be reached impermissibly and without notice by governments in the transferred-to country (the driving factor in the ECJ’s invalidation of the Privacy Shield Framework).
The six steps include:
In conjunction with this guidance, the EDPB issued European Essential Guarantees Recommendations that further clarify some of the steps companies should take — for instance, how to assess the laws or practices of the third country, which might make the transferred data vulnerable to collection and processing by a governmental entity not anticipated or authorized in the transfer.
The next day, the European Commission proposed a draft decision updating the available Standard Contractual Clauses (SCCs), which are a primary mechanism still recognized by the GDPR to appropriately safeguard and transfer EU personal data to third countries. Crucially, if the decision is adopted and new SCCs are effective, companies will have a 12-month period in which to phase out and replace all existing SCCs. The draft decision provides an Annex with a draft set of four new SCCs or “modules,” which outline obligations for data exporters and importers in multiple data transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller. The comment period on the draft decision and modules closed on Dec. 10, 2020. A notable provision in the modules is a requirement that the data importer notify the data exporter if it cannot follow its instructions or if processing of the data infringes on the GDPR or other member state data protection laws. For example, for each of the four modules, Clause 2 includes representations concerning “local laws affecting compliance,” including an obligation that the data importer must “promptly notify the data exporter if ... it has reason to believe that it is or has become subject to laws not in line with the requirements” of the SCCs. And Clause 3 for each of the four modules includes obligations on the data importer in the event of a government access request, which contemplates situations in which the importer may be under an obligation not to disclose the government access. These new obligations have come under heavy scrutiny in the comment period.
Other International Developments
Outside the U.S. and the EU, other countries have either adopted privacy legislation in 2020 or taken steps in that direction. Following are the most notable among them:
- Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais), or GDPL, took effect in September 2020, though enforcement provisions and private rights of action will take effect in August 2021. The GDPL applies to any person or company that conducts business in Brazil, processes the data of Brazilian nationals, or possesses data that has been collected in Brazil. It is similar to the GDPR in a number of respects, including its extraterritorial reach.
- China’s Personal Data Protection Law (PDPL) was published for comment in October 2020. If adopted, the PDPL would become China’s first comprehensive privacy legislation. It would apply to the collection and use of personal data in China, regardless of the person’s nationality. The draft legislation includes a private right of action for data breaches.
- Canada’s Consumer Privacy Protection Act (CPPA) was introduced in the House of Commons in November 2020. If adopted, the CPPA would introduce the highest penalties for privacy violations in the G7. The most serious offenses would carry fines worth as much as 5% of the offender’s revenue or $25 million, whichever is higher.
Major fines and settlements
SCOTUS to resolve circuit split on Computer Fraud and Abuse Act
The Supreme Court will resolve a circuit split over the meaning of criminal “unauthorized access” when the Court renders its decision on the appeal of the Eleventh Circuit’s decision in United States v. Van Buren. As we outlined in a client alert, the Eleventh Circuit’s decision broadly interpreted the federal anti-hacking statute, the Computer Fraud and Abuse Act (CFAA), as prohibiting otherwise authorized access to electronically stored information when access occurred for an improper purpose or outside the scope of the authorization. The case was argued before the Supreme Court on Nov. 30, 2020, and a decision is anticipated in the new year.
The CFAA was passed in 1984 to deter what was then a new form of criminal activity — “hacking” — and provides that anyone who accesses a computer or exceeds authorized access and obtains information is guilty of a crime. Seven circuit courts have weighed in on the scope of the CFAA. The First, Fifth, Seventh and Eleventh have interpreted the meaning of “in excess of authorization” to criminalize access to a computer when it occurred for an improper purpose. The Second, Fourth and Ninth held that a violation of the statute occurs only if someone is prohibited from accessing a computer under all circumstances.
Major U.S. fines and settlements involve Zoom, Capital One and Anthem
Many large settlements were reached in 2020, both in court and in regulatory proceedings. One, in the case of Zoom, includes an agreement with the Federal Trade Commission (FTC) to secure users’ communications but does not include monetary damages. In November, Zoom agreed to implement a comprehensive security program, which includes implementing a vulnerability management program, deploying multifactor authentication to protect its network, and conducting an annual assessment of security risks and remediation actions. Zoom is also barred from any misrepresentations in regard to its privacy and security capabilities. In addition, the company is required to obtain biennial assessments of its security program from an independent third party to be approved by the FTC.
In August, the Office of the Comptroller of the Currency levied a fine of $80 million against Capital One over a 2019 data breach that occurred when Capital One migrated its IT systems to public cloud servers. This resulted in a former employee accessing approximately 140,000 Social Security numbers and 80,000 linked bank account numbers from individuals who had applied for accounts with the bank. As part of the settlement, Capital One neither admitted nor denied any wrongdoing.
Health insurance provider Anthem agreed to pay $39.5 million to settle data breach claims in 42 states and the District of Columbia over a 2015 cyberattack that exposed the personal information of nearly 80 million customers, including Social Security numbers and income data. In addition to the monetary penalty, Anthem agreed to implement a comprehensive security program, to include regular security reporting to its board of directors as well as antivirus maintenance, risk assessments, penetration testing and employee training. Anthem did not admit to any liability or wrongdoing in the settlement.
UK, French regulators levy multimillion-dollar fines against BA, Marriott and Ticketmaster
In October 2020, the U.K.’s and France’s data protection authorities fined British Airways and Marriott more than $50 million over a 2018 data breach. We covered these fines in an alert in November, noting the fines should be a warning to companies to be vigilant about reporting breaches as soon as they are confirmed, and about taking immediate action to remediate the cause, mitigate damages, actively communicate with data subjects about the breach and offer appropriate relief. The fines were particularly noteworthy in that they were significantly decreased from amounts proposed by the data protection authorities, in part due to the companies’ cooperation and the financial impact of the COVID-19 pandemic.
More recently, the U.K.’s data protection authority levied another large fine, this time against Ticketmaster, over a 2018 data breach. The fine totaled £1.25 million ($1.65 million) and was issued over Ticketmaster’s failure to secure its customers’ personal details and its exposure of thousands of customer bank accounts to fraud.
Major court decisions and regulatory guidance
Major biometric lawsuits continue in state and federal courts
There have also been developments surrounding the protection of biometric information in the U.S. In a significant decision in Fox v. Dakkota Integrated Systems, LLC, the U.S. Court of Appeals for the Seventh Circuit brought clarity to employers’ obligations in relation to their employees’ personal data. The court reversed a district court’s order that remanded a lawsuit under the Illinois Biometric Information Privacy Act (BIPA) to state court following its removal.
In that case, plaintiff-appellee Fox sought to bring BIPA claims against her former employer Dakkota Integrated Systems, LLC, for its alleged improper collection, use, retention and disclosure of her handprint. After the case was removed from state to federal court by defendant, Dakkota moved to dismiss the case for lack of Article III standing (namely, the lack of concrete injury). The district court ruled that Fox lacked standing to make claims under BIPA, based on the Seventh Circuit decision in Bryant v. Compass Group USA, but instead of dismissing the BIPA claims, the court remanded them to state court.
The Seventh Circuit ruled that the district court misinterpreted the Bryant precedent (and others) because “an unlawful retention of biometric data inflicts a privacy injury in the same sense that an unlawful collection does.” The appellate court noted that under Spokeo v. Robins, it was defendant’s burden to establish that plaintiffs had Article III standing when it removed the case to federal court. The appellate court ruled that plaintiff-appellant indeed had standing under its decision in Miller v. Southwest Airlines Co., where “plaintiffs, as union members, had standing to pursue their claims in federal court because the collection, use, and retention of biometric data are topics for collective bargaining and could be used to win offsetting concessions on wages or other topics.” The Seventh Circuit ruled that Fox’s circumstances were “indistinguishable” from those in Miller, as she was also represented by a union while working for Dakkota. This BIPA action will continue in federal court.
In another recent decision, an Illinois federal court denied in part Apple’s motion to dismiss a putative class action alleging its facial recognition software violated BIPA. According to plaintiffs, defendant’s software collected their biometric identifiers without their consent, and defendant did not have a retention policy. Additionally, plaintiffs alleged that defendant profited by selling devices that include the software. The court denied the motion to dismiss regarding the unauthorized collection of biometric information claims, because by failing to obtain written consent from plaintiffs to collect biometric information, Apple inflicted the type of concrete injury BIPA was designed to protect against.
Another Illinois decision involves Clearview AI’s unsuccessful attempt to have a putative class action dismissed, in Mutnick v. Clearview. Plaintiffs allege that defendant illegally scraped more than 3 billion pictures from various social media platforms to improve its facial recognition software. Defendant argued that the court didn’t have jurisdiction over plaintiff’s BIPA claims because defendant never specifically targeted residents of Illinois and had no connections to the state. The court found jurisdiction because defendant had executed hundreds of agreements with a variety of law enforcement and other government agencies as well as private businesses, including ones based in Illinois, to provide access to its facial recognition database. Furthermore, defendant marketed licenses and negotiated a contract for its database with the Illinois secretary of state.
COVID-19 and contact tracing
While geolocation data also continues to be a developing topic of interest — both in the privacy and the litigation contexts — as discussed in an article for Practical Law by Kramer Levin’s Privacy Counsel, nowhere has geolocation data, coupled with personal health information (PHI) and biometric data, received more attention in 2020 than as pertains to contact tracing and managing the COVID-19 public health crisis.
Throughout the year, the U.S. Department of Health and Human Services, including the Office for Civil Rights (OCR), has published numerous guidelines and guidance to HIPAA-regulated entities concerning contact tracing and use of COVID-19-related health information. In August, OCR specifically advised that the “HIPAA Privacy Rule permits HIPAA-covered entities (or their business associates on the covered entities’ behalf) to use or disclose PHI for treatment, payment, and health care operations, among other purpose without an individuals’ authorization.” This guidance was directly tied to covered entities’ efforts to contact trace and to seek plasma donations from COVID-19 survivors.
Issues to watch in 2021
Are forensic reports — including those arising out of a cyber breach — privileged?
In an ongoing discovery dispute, the Federal Reserve System’s board of governors objected (sub. req.) to discovery requests from members of a proposed class action against Capital One regarding a 2019 data breach. The Fed argued that it had already cooperated with previous requests for documents concerning the Capital One breach and that providing any further information would violate the regulator’s privileged relationship with the bank. Despite already having been denied by a Virginia magistrate judge, the consumers have now moved before the district judge to have the results of a report conducted by the Fed turned over because they believe it contains information vital to their case. In response, the Fed stated that it had already made “extraordinary and unprecedented efforts” to share all necessary facts from the report and argued that the consumers were unable to articulate to the court why the information was necessary under the “good cause” standard. The suit is one of many in multidistrict litigation against the bank in response to a data breach that led to the theft of 106 million people’s personal information. In this litigation, Capital One has already been ordered to produce to plaintiffs the Mandiant forensic report, despite arguments that the report was privileged.
Privacy observers await national privacy legislation amid strong bipartisan consensus
Privacy advocates have long called for uniform privacy and data security legislation in the U.S. An article recently published by the International Association of Privacy Professionals looked at what a Biden administration could mean for privacy and cybersecurity and suggested this, along with the renegotiation of the U.S.-EU Privacy Shield Framework, would be an area of focus for the incoming administration.
This is an area of possible bipartisan collaboration, as numerous drafts with sponsors from both sides of the aisle have been introduced in 2019 and 2020.
COVID-19 developments such as vaccination cards, PHI and contact tracing
Among the important privacy issues to be resolved in 2021 are the implications of potential vaccination legislation and contact tracing programs. The federal and state governments will look at the question of whether employers, schools and others may request — or potentially require — a vaccination card showing a person is up to date with COVID-19 vaccination. In a related issue, the government must resolve the question of whether a person may refuse to be vaccinated.
Similarly, contact tracing will continue to raise many questions that various federal and state regulators will need to address in 2021. One such question is the scope of information collected: How much personal information is “enough” for the purposes of warning individuals they might have been exposed to COVID-19? Who is authorized to collect this information, and for how long?
Further regulatory action for the EU
As the year draws to a close, the European Commission announced two new comprehensive privacy laws in draft form: the Digital Services Act (DSA) and the Digital Markets Act (DMA). Both will have international reach and should be on the radar of every company doing business in the EU with a digital footprint. The European Commission has noted the two main goals of the DSA and the DMA are to “create a safer digital space in which the fundamental rights of all users of digital services are protected” and to “establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally.” The DSA and the DMA are expected to be refined and go into effect sometime in 2021.
Kramer Levin’s privacy and data security team will continue to monitor all of these areas and privacy issues, reporting on them in the Perspectives section of our website. For more information, you can also subscribe to our weekly Advertising Litigation newsletter, which includes a section on privacy and data security.