Over the past few years, there has been a surge in class actions challenging companies’ privacy and data security practices. But, while the number of class actions continues to grow, the suits face several significant challenges, have afforded limited relief to individual consumers, and have provided no coherent privacy standards in the US By comparison, the primary government regulator, the US Federal Trade Commission (FTC), has proven much more effective in enforcing privacy and data security practices.
The first hurdle: the requirement of ‘standing’ or the need for an ‘injury in fact’
Class action litigation has not proven to be an efficient mechanism for claimants in the US to seek redress for alleged privacy damages.
This stems from the difficulty of having a compensable harm arise from a violation of a privacy-related right under US law.
This creates an important threshold problem in the US federal courts.
Indeed, litigants must demonstrate that they have ‘standing’ to be able to pursue their claims before a federal court.
‘Standing’ has in turn been interpreted to require plaintiffs to establish, among other things, that they suffered an ‘injury in fact’ that is concrete and actual or imminent, not hypothetical or conjectural.
Numerous class actions based on the collection, use and disclosure of data have been derailed because plaintiffs have not adequately alleged an ‘injury in fact’ sufficient to confer ‘standing’1.
More than 15 years after the adoption of the Data Protection Directive1, the European Commission noticed that the current legislative framework on data protection did not adequately deal with the risks associated with online activity2.
Acknowledging this, the General Data Protection Regulation (GDPR)3 was finally adopted by the European Parliament on 14 April 2016, entering into force in May 2016 and becoming directly applicable in all Member States on 25 May 20184.
The GDPR targets the data controller or its processor and provides a set of standardised rules relating to personal data processing by such entities.
It also provides means to enforce these provisions.
Specifically, the GDPR introduces, everywhere in Europe, collective actions, which can be initiated by not-for-profit bodies dedicated to personal data protection thanks to consolidation mechanisms.
An action before national courts against a controller or a processor
Without prejudice to any available administrative or non-judicial remedy, the GDPR enables the data subjects to bring a claim against a controller or processor in national courts when they consider that their rights under the GDPR have been infringed as a result of a processing (Article 79).
In this respect, the GDPR provides the data subject with a real choice of forum, allowing data subjects to bring their action before different courts (Article 79) as well as a lis pendens system requiring courts to suspend their proceedings or decline jurisdiction where identical proceedings are pending before another court (Article 81).
Both the French Council of State in its annual report for 2014 as well as the National Digital Council (hereinafter, “CNNum”) in its “Digital Ambition” report voiced support for the creation of an action enabling consumers to collectively seek redress for violations of regulations protecting personal data.
However, their recommendations are different regarding the goal of this action.
After some hesitation and numerous debates, the collective action for data protection finally became a reality in November 2016 thanks to the adoption of the law on the modernisation of 21st century justice.
Creation of a general framework applicable to class actions in France
In the scope of the adoption of the Law on 21st century justice, the French lawmaker intended to create a common general set of rules which would be applicable to various specific class actions.
The ambition was, therefore, to create what could be described as a “class action common law“, composed of a corpus of general rules which would be applicable to specific class actions, unless otherwise provided.
Article 60 of the Law on 21st century justice lists five specific class actions to which the common set of rules relates and is applicable and relating to:
- the fight against discrimination;
- discrimination in the workplace;
- environmental claims;
- health issues; and
- computer technology, data and freedoms (see below).
Could the GDPR give rise to forum shopping and are there any pre-litigation strategies that should be considered? Here, we review four key elements that should be kept in mind in respect of data class actions in the EU.
In the US, many class actions are dismissed for lack of ‘standing’, i.e. because the litigants do not demonstrate that they suffered an ‘injury in fact’ that is concrete and actual or imminent.
Does the US ‘injury in fact’ standard apply for data class actions in Europe?
Under the GDPR, data subjects have the right to recover both material damages and non-material damages (Article 82).
Hence, in the event of liability, all damages which have been caused by the data protection infringement have to be compensated.
This extended liability is remarkably different to the current legal situation under many Member States’ data protection laws.
Quick glance at France: the data class action12 may be used to put an end to an infringement of the provisions governing the protection of personal data.
The law expressly specifies that this class action cannot give rise to compensation in the form of damages.
It is a purely injunctive form of collective redress.
Yet, this position may evolve in the future as a bill is currently being debated and provides for the creation of a compensatory data class action1.
A data lake is an infrastructure that permits different data sets from within a group to be combined and analysed together.
To analyse a data lake under GDPR, it is helpful to think of a data lake in two phases, which we analyse in our user guide.
The infrastructure phase
Here, the guide covers:
- Identify the entity that is hosting the data lake.
- Implement an intragroup data processing agreement.
- Check data localisation rules.
- Data protection impact assessment.
- Data lake governance committee.
The applications phase
Specifically, we look at:
- Data lake service provider becomes data controller.
- Instructions from each affiliate as (original) data controller.
- Mapping value transfers from data lake applications.
- Data lakes and applicable law.
- Additional purposes that are “compatible”.
- Data protection impact assessments.
Discover more about ‘Getting to data nirvana’
Our series of guides help you integrate your legal, regulatory and compliance work streams into your organisation’s overall data strategy.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.
The era of big data is here. Although we are yet to see its full potential, the use of big data analytics is already proving invaluable to businesses and its applications have been found in numerous and diverse sectors.
However, the use of big data has also brought much controversy, particularly when it involves sensitive information, concerns children, minorities or other vulnerable people, or where the decision-making has a significant impact on individuals.
As both public interest and regulatory scrutiny in artificial intelligence, machine learning and big data continues to build, it is increasingly becoming important for businesses to be aware of individuals’ rights over their data and be prepared to demonstrate compliance with data protection laws.
This is particularly the case for organisations working with data about individuals in Europe, as the regulatory framework on data protection has changed with the EU General Data Protection Regulation (GDPR) coming into force in May 2018.
Both Chambers of Congress are considering legislation that would amend the Telephone Consumer Protection Act (“TCPA”). Introduced in the House by Congressman Pallone (H.R. 6026) and in the Senate (S. 3078) by Senator Markey, the Stopping Bad Robocalls Act adds a new definition, “robocall,” in place of “automated telephone dialing system.” The new term would include devices that make calls using “numbers stored on a list” (in addition to dialing random or sequential numbers). The new definition clarifies that robocalls do not include using equipment where “substantial additional human intervention” is required to place the call.
The bills would also require the Federal Communications Commission (“FCC”) to establish a nationwide database of reassigned telephone numbers. In addition, they would require the FCC to implement caller ID verification regulations under which voice service providers would have to ensure that information is accurate and prevent calls from connecting where such verification cannot be made.
The bills would also extend the statute of limitations for FCC enforcement of TCPA violations from 1 year to 4 years.
On August 2, 2018 the FCC unanimously adopted a Notice of Inquiry (“NOI”) seeking comment on creating the “Connected Care Pilot Program,” a Universal Service Fund (“USF”) pilot program. The program aims to improve health outcomes and reduce healthcare costs by promoting broadband-enabled telehealth service adoption among low-income families, particularly in rural, unserved, or underserved parts of America, as well as with veterans.
The NOI seeks comment on numerous aspects of the proposed pilot program:
- The goals of the connected care telehealth support;
- The statutory authority for the program under section 254 of the Communications Act;
- The design of the connected care pilot program, including:
- the proposed $100 million program budget for 20 projects, with $5 million of the budget dedicated to funding broadband connectivity to low-income patients;
- the application process and types of telehealth pilot projects that should be funded;
- eligibility criteria limiting program participation to:
- healthcare providers that serve low-income patients;
- broadband service providers that are section 214-eligible telecommunications carriers;
- low-income consumers that are Medicaid-eligible or cost-free healthcare eligible veterans;
- the broadband and other communications services, service standards, and equipment that should be supported;
- whether 2-3 years is the right duration for the program; and
- how to measure the effectiveness of pilot projects in achieving the goals of the program and whether the FCC should require clinics, hospitals, and/or ETCs to report certain data
Commissioners O’Rielly and Rosenworcel said they remain skeptical of the FCC’s authority to conduct the pilot program, and Rosenworcel said the FCC “cannot borrow from the authority of the Lifeline program for a new project without first reconciling the damage it has proposed to do to those who already depend on it.” Commissioner Carr said the $100 million for grants would not come from Lifeline funding, but would be a one-time infusion of USF money and touted the program’s potential to spur broadband deployment and achieve better health outcomes and cost savings.
Comments are due September 10, 2018, and reply comments are due October 10, 2018.
Thank you to everyone who participated in last week’s webinar “California Consumer Privacy Act: What you need to know now.”
In this complimentary webinar, Hogan Lovells partners Mark Brennan, Bret Cohen, Harriet Pearson, and Tim Tobin, discussed:
• What triggered the new law?
• What data is covered?
• What does CCPA require, and how do you start operationalizing the requirements?
• Disclosure requirements
• Opt-out and opt-in requirements
• Data access, portability, and “right to delete” requirements
• What’s the impact on your GDPR compliance program-what additional steps do you need to take now?
• How will the CCPA be enforced?
To access a copy of the slide deck, click here.
To access the recorded webinar, click here.
Stay tuned to the blog for future updates on this ground-breaking new law that some are calling the U.S. equivalent of the EU GDPR.
Join us on 16 or 21 August for the fourth in our LimeGreen Live webinar series in conjunction with the Hogan Lovells Consumer Industry Sector Group.
This webinar will explore the IP opportunities and risks for businesses operating in, or looking to enter the wearable technology market. Our presenters will discuss the lifecycle of a wearable technology product, from building or acquiring an IP portfolio, branding considerations and new types of legal risks relating to SEPs, to commercializing your technology through the use of data.
Our transatlantic team, including lawyers from London, San Francisco and Northern Virginia, will cover the patent, trademarks and transactional considerations in each session.
Click here to register for this webinar or contact Joshua Prietzel for more information.