LITIGATION SUPPORT TIP OF THE NIGHT

The Tip of the Night for December 31, 2019 discussed the California Consumer Privacy Act (CCPA), the statute which protects consumer privacy rights. Be sure to note that under the Act, companies can be required to pay in a private suit either the greater of between $100 and $750 per consumer and per incident, or the actual damages sustained by a victim of the data breach. See, Cal. Civ. Code § 1798.150. If the state attorney general decides to prosecute a company, private civil suits for the same breach may be barred. The attorney general can seek a penalty of $7500 for each intentional violation, and $2500 for each unintentional violation, and these violations are counted for each impacted consumer.

Today, the Justice David Barniville of the High Court of Ireland issued a decision in Facebook Ireland, Ltd. and Data Protection Commission and Schrems, 2020 No. 617 JR, available at: https://noyb.eu/sites/default/files/2021-05/High%20Court%20Judgement%202021-05-14.pdf, which ruled on the application of Facebook and Schrems for judicial review of a preliminary decision by the DPC on whether Facebook was making lawful transfers of personal data of EU citizens. Facebook contends that the DPC's decision was unlawful under the GDPR because amongst other grounds, they did not conduct an investigation beforehand and because Facebook was not given sufficient time to make a submission to the DPC. Schrems stressed the importance for the DPC to act quickly under the GDPR and in light of the decision by the Court of Justice of the European Union in Schrems II. (See the Tip of the Night for July 22, 2020.)

Justice Barniville concluded that Facebook was not entitled to relief, but did request additional comments from counsel on the refusal by the DPC to provide information requested by Facebook.

DPC was found to have adequate reasoning for its decision to conduct an inquiry, and the procedure it followed was deemed to be adequate. Facebook was given reasons why the decision was made; it was given enough information to decide whether or not an appeal was needed; and the given reasons allowed for the court to conduct a proper review.

21 days was deemed to be a sufficient time period in which for Facebook to make submissions. ". . . that in addition to its obligation to respect the rights of the defence and to afford fair procedures, including the right to be heard, to those who are subject to an inquiry commenced by the DPC, the DPC also has significant obligations under the GDPR to act expeditiously in the exercise of its powers." Id. ¶ 262.

The DPC was found not to have acted ultra vires in breach of its obligations under the GDPR: ". . . I accept the DPC’s submission that in the absence of prescribed requirements for an inquiry . . . it is open to the DPC to gather information in a variety of ways, subject at all times to the overriding requirement of fair procedures as well as the other requirements contained in the GDPR concerning the need for expedition and due diligence." Id. ¶158.

The DPC was not required to wait for guidance from the European Data Protection Board in its pending examination of the Schrems II decision. "There is nothing in the GDPR concerning the establishment and functions of the EDPB which would impose such an obligation upon the DPC or preclude it from proceeding with the inquiry. On the contrary, I am satisfied that there is nothing in the GDPR which would support the contention that the absence of guidance from the EDPB amounted to a bar on the DPC commencing and proceeding with the inquiry." Id. ¶ 346

Justice Barniville also ruled that the DPC had not breached a duty of candor owed to Facebook, and that allegations of an abuse of process brought by the DPC against Facebook, and then withdrawn, were baseless and should have been withdrawn sooner.

This decision allows the inquiry by the Data Protection Commission to proceed against Facebook, and potentially halt transfers of personal data outside of the European Union.

In 2019, New York State passed new legislation, the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), N.Y. Gen. Bus. Law § 899-bb. The SHIELD Act requires businesses to implement reasonable safeguards to protect the security and confidentiality of the private information of New York State residents.

A business must adopt a data security program, and take the following measures:

1. Identify company employees who are responsible for enforcing the program.

2. Identify reasonably forseeeable external and internal risks.

3. Assess the adequacy of the safeguards, in particular evaluating:

   1. network risks

   2. software risks

   3. data processing risks

   4. data transmission risks

   5. data storage risks

4. Provide training in the security program to its employees.

5. Engage service providers who are contractually bound to implement the safeguards.

6. Update the program as circumstances change.

7. Respond to attacks or failures of its system.

8. Test the effectiveness of its program.

9. Dispose of information when it is no longer needed for any business purpose.

The SHIELD Act specifically directs that electronic media be erased so that data cannot be reconstructed when private data is disposed of.

The measures taken by a smaller business need only be proportional to the resources of the business; the scope of its activities; and the nature of the personal information it collects, if the business has fewer than 50 employees; less than $3M in gross annual revenue for the past 3 years; or has less than $5M in total assets.

A business will be automatically considered to be in compliance with the SHIELD Act if it complies with the regulations of the following:

1. Title V of the Gramm-Leach Bliley Act which addresses consumer data held by financial institutions.

2. HIPAA

3. Health Information Technology for Economic and Clinical Health Act

4. New York State's cybersecurity requirements for financial services companies under 23 CRR-NY § 500; OR

5. The data security regulations of any other federal or New York state department or agency.

The SHIELD Act added biometric data, and user & password account information, to SSN, driver license number, bank account number, and credit card number data covered by earlier legislation.