Stephen TregliaIt Truly Was a Very Good Year
In this E-Communications column, Stephen Treglia recaps the past year, writing: 2018 clearly was a very good year for data privacy statutes, regulations and case law. In fact, it was unquestionably the best year ever, by far.
January 28, 2019 at 02:50 PM
10 minute read
Frank Sinatra fans might recall his 1965 hit, “It Was a Very Good Year.” Well, 2018 clearly was a very good year for data privacy statutes, regulations and case law. In fact, it was unquestionably the best year ever, by far.
|GDPR
Probably leading the way was the General Data Protection Regulation (GDPR) of the European Union (EU), which took effect on May 25th. Certainly, much has been written about GDPR already, and it is not the intention of this article to analyze this legislation in much depth.
As is true of most privacy laws and regulations currently in existence, GDPR's definitive applicability will almost certainly require regulatory and/or judicial interpretation in the years ahead. Even determining the persons and businesses covered is not exactly the simplest of tasks.
Article 3 is the starting point and is titled “Territorial scope.” Section 1 states GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” The general consensus appears to be that if the controller or processor has been “established” in the EU, GDPR protections are granted to all individuals' personal data under the control of or processed by that business regardless of the citizenship of its customers or employees.
Section 2 of Article 3 makes GDPR applicable to controllers and processors “not established in the EU” that offer “good or services” to “data subjects in the EU” or monitoring such persons' behavior taking place in the EU. It would seem that GDPR protections apply, under this section, to anyone physically present in the EU regardless of citizenship and does not apply to EU citizens who are not physically present there.
GDPR has already been well-documented for its innovative privacy concepts such as data subject rights, the right to be forgotten and a company's institution of privacy by default and design in its cybersecurity system. In contrast to data privacy rules generally found in America, which focus more on industry-specific privacy data, such as health care or finance, GDPR views personal data as an individual's right.
|CCPA
A little more than a month after GDPR went into effect, California enacted its own new data privacy legislation called the California Consumer Privacy Act (CCPA). In the legislation's preamble, it is clearly stated that in California, there is a generic right to privacy set forth in its state's Constitution. This is as opposed to the U.S. Constitution, which does not recognize the existence of such a right.
Currently scheduled to go into effect on Jan. 1, 2020, it has already been amended once and is awaiting additional regulation from the Attorney General prior to becoming enforceable. Occasionally referred to as “GDPR lite,” it generally does not have as broad a reach as its EU counterpart, but assuming one is CCPA-compliant if GDPR-compliant may be a little short-sighted. While the bill is labeled the “California Consumer Protection Act,” its applicability may be a bit wider than GDPR's in certain situations.
CCPA defines a “consumer” as “a natural person who is a California resident.” Some commentators have stated that despite the bill's title, this definition of consumer evinces the legislature's intent to extend its applicability beyond the traditional meaning of the word “consumer” and apply as well to the employees and vendors of covered businesses (ones that gross more than $25 million a year, derive over 50 percent of its revenue from selling consumer data, or processes more than 50,000 consumers' data annually). It is also noteworthy that unlike the second territorial scope provision of GDPR, CCPA does not appear to require its protected class of citizens to actually be physically present in California.
|Alabama and South Dakota Join In
Last year also saw the final two states not to have data protection and breach notification laws in place, Alabama and South Dakota, join their fellow states. In fact, these latest two entries demonstrated a willingness to offer their respective residents aspects of data protection found in few other U.S. states.
Alabama didn't just require protection of its citizens' personal information, but took the step, rarely found in the laws of its sister states, to define what it considers to be reasonable levels of cybersecurity. The law also defines what a business whose data has been breached must do to investigate the incident and requires it be done promptly.
South Dakota's novel requirement is that all three consumer reporting agencies must be notified of a data breach if any of its state's residents is affected. Other states that require consumer agency notification don't mandate it until a certain minimum number of victims' personal data has been breached.
|'Carpenter'
The biggest data privacy event of 2018, however, was not the result of legislation or regulation, but a decision from the U.S. Supreme Court. On June 22nd, the court issued Carpenter v. United States, 585 U.S. ___, which superimposed a dark shadow over what had previously been bright-line case law for over 40 years.
The defendant in Carpenter was a suspect in a series of robberies in Michigan and Ohio. Through information provided by a co-conspirator, law enforcement identified a cell phone number of one of the accomplices. A prosecutor assisting in the investigation secured a court order pursuant to 18 U.S.C. §2703(d), often referred to as an “articulable facts order” or a “2703d order”, to obtain prior cell site location information (CSLI) of one of the suspects. This information demonstrated that the defendant was in the area of the various robberies when they occurred.
Prior to the trial, Carpenter sought suppression of the 127 days worth of CSLI, arguing it was information that should have been acquired via a search warrant supported by probable cause. In a 5-4 decision, the court agreed with the defendant.
In doing so, the majority distinguished CSLI from a long line of case law that had previously consistently held that no person had a reasonable expectation of privacy in any information shared with another person, which, therefore, did not mandate acquisition by law enforcement via a search warrant. Beginning with bank records (canceled checks, deposit slips and monthly statements) in United States v. Miller, 425 U.S. 435 (1976), and followed shortly thereafter with numbers dialed on a telephone in Smith v. Maryland, 442 U.S. 735 (1979), courts have routinely followed what is often referred to as the “third-party rule,” as had the Sixth Circuit in affirming the trial court's denial of Carpenter's motion to suppress.
Despite the fact that a cell phone user shares his or her physical location with a mobile device service, the majority of the court ruled Carpenter had a reasonable expectation of privacy in the extended pattern of his public whereabouts. To rule otherwise would endanger revealing a person's “familial, political, professional, religious, and sexual associations” due to such “seismic shifts in digital technology.”
The Carpenter majority expressly acknowledged it was not overturning the holdings in Miller or Smith. It was only not extending it to historical CSLI. One obvious result is the third-party rule is no longer the crystal-clear bellwether it once was.
Interestingly, the court even went so far as to say it was not deciding the legality of acquiring “real-time” CSLI via an articulable fact order set forth in the Stored Communications Act. This means a somewhat awkward anomaly currently exists that historical CSLI can only be secured via a search warrant, but will it mean that real-time acquisition may still be acquired with a 2703d order.
|'LabMD v. FTC'
Only one significant court decision slightly tipped the scales against personal information privacy last year. On June 6th, a three-judge panel of the Eleventh Circuit invalidated an enforcement action instituted by the Federal Trade Commission in LabMD v. FTC.
The FTC had issued a cease and desist order following a personal data breach at LabMD, as it has in many other cases, demanding that the company upgrade its cybersecurity practices to prevent future unauthorized access to its HIPAA-protected patient data. The FTC cited its oft-used authority to issue such an order based on a finding of the presence of “unfair acts or practices” under §5(a) of the FTC Act.
LabMD pushed back, and the Eleventh Circuit agreed that the order did not specify any wrongdoing committed by LabMD, but only required it to upgrade its cybersecurity program to “meet an indeterminable standard of reasonableness.” This lack of specificity, the court ruled, invalidated the order as an improper use of §5(a).
|Preparing for the Future
While 2018 has seen a substantial and previously unprecedented increase in the laws governing personal data privacy, it is probably pretty fair to reach back to a song written by Roger Nichols and Paul Williams and made popular by the Carpenters in 1970, “We've Only Just Begun.”
For example, the business community is pressuring Congress to create a national data privacy law to avoid having to comply with 50 different sets of rules from each of the individual states. And there will almost certainly be hundreds or more of enforcement actions, administrative interpretations and court rulings in the decades to come.
What to do in the meantime? Certain basic and elementary steps cannot be started soon enough. Data identification and mapping are critical. How can any business know if they come under the jurisdiction of any cybersecurity or data privacy laws if they don't know what kind of data they possess or where it's located?
Once protected personal data is discovered, somebody at your company or practice must take the lead and assume the responsibility of making critical decisions to keep such sensitive data secure. Upper management must buy-in to this effort and supply the support, and yes, the funding to keep that data safe.
|Conclusion
One thing is certain despite all the questions about legal interpretations in the future: The last thing anyone wants to discover is that their breached personal data comes under the scrutiny of some agency looking to impose fines and remedial actions. Or to borrow another song from the early 1970s by Fred Karlin, Robb Royer, and Jimmy Griffin which the Carpenters covered in 1971 and turned into another hit on the charts, you don't want to have to face inquisitive regulators wide-eyed and palms turned upward and say “For All We Know.”
Stephen Treglia, Esq., HCISPP, CCSFP, founder and first chief of the cybercrime unit at the Nassau DA's Office, is currently a cybersecurity and data privacy consultant at ACA Compliance Group in Manhattan.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
When It Comes to Local Law 97 Compliance, You’ve Gotta Have (Good) Faith
8 minute read
From ‘Deep Sadness’ to Little Concern, Gaetz’s Nomination Draws Sharp Reaction From Lawyers
7 minute read
Deposing Former Mayor Bill de Blasio; Misrepresentations To Induce Investment: This Week in Scott Mollen’s Realty Law Digest
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
