Photo: deepadesigns/Shutterstock.comTrends in 2020 for Data and Personal Privacy
In his Technology Law column, Peter Brown looks ahead to trends to follow in 2020 that impact on personal data in New York, California and the European Union.
January 27, 2020 at 12:30 PM
8 minute read
It has become a common experience for a consumer to search the Internet for a single airfare to a vacation destination, only to be inundated with solicitations from airlines and travel services for special travel deals from Florida to Fiji within hours. Consumers have learned to their dismay that the cost of the ubiquitous Internet is losing control over their personal data which feeds Internet commerce.
In 2017, the magazine The Economist published an article titled, "The world's most valuable resource is no longer oil, but data." Ever since, legislators in the United States and Europe have been creating new laws and regulations to allow the individual to control and protect their valuable personal data. This article will look ahead to trends to follow in 2020 that impact on personal data in New York, California and the European Union.
Limits on European Rules
It is widely recognized that the broadest framework for the regulation and protection of personal data is the European Union's General Data Protection Regulation (the GDPR) 2016/679 which provides for data protection and personal privacy. The GDPR has been influential in shaping the discussion about Internet personal privacy in many countries, including the United States.
One of the more controversial outgrowths of the GDPR is the "right to be forgotten" i.e. the right to have inaccurate, damaging or outdated personal data deleted from search engines and websites. This right was defined in a case brought by a Spanish citizen, Mario Costeja González, against Google Spain SL and ultimately decided by the European Court of Justice in May 2014. González objected to a Google link to a newspaper article about a personal debt and foreclosure that had been previously resolved. The court held that the right to be forgotten was a human right and ordered that the links to the newspaper article be removed. Since that decision was issued, Google has removed over a million unwanted links in response to requests from individuals in the EU.
It was commonly accepted that the rules relating to the right to be forgotten applied to the countries of the European Union and the European Economic Area. However, in considering the rights of its citizens the French Data Protection Authority (the CNIL) ruled that Google and other search engines were required to remove all links to disputed information ("de-referencing") on all versions of its search engine, not only in France and the EU countries, but also anywhere else in the world. Google was fined 100,000 Euros for its refusal to comply with a de-referencing request. Google commenced a litigation against the CNIL to overturn the fine and the broad declaration as to the scope of the CNIL's authority.
On Sept. 24, 2019 the European Court of Justice decided that the rules related to the right to be forgotten need not be applied outside the EU on all versions of Google's search engine. As the court noted, "The balance between the right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world." Further, the court stated that the right to be forgotten "is not an absolute right."
Without this ruling, it was conceivable that the French privacy authorities at CNIL would control some of the information available to Google users in the United States or other countries. In addition, if the French privacy authorities position were upheld, it was conceivable that countries with very restrictive Internet policies, like China or North Korea, could try to impose their own concepts of privacy on a similar world-wide basis. Nevertheless, the policies arising out of the GDPR have had an impact on U.S. law where our citizens are slowly accepting the need for broader personal privacy on the Internet.
California Rushes to the Lead
Given the lack of a national standard for privacy on the Internet, the California Legislature seized the initiative by passing the California Consumer Privacy Act of 2018 (the CCPA). As has been widely discussed, the provisions of the CCPA became effective on Jan. 1, 2020. Generally, the law applies to companies doing business in California with annual revenues of $25 million or more or companies that derive 50% or more of their revenue from selling consumers' personal information. Some companies may subject to the CCPA for more specialized reasons.
The CCPA includes a consumer's right to deletion which is similar to the GDPR's right to be forgotten. Pursuant to CCPA, §1798.105, when a covered organization receives a "verifiable consumer request" it must "delete the consumer's personal information from its records." The same request covers the company's service providers. In addition, consumers must be given notice of this right to deletion.
On its face this appears to be a broad set of rights for the consumer. However, the CCPA lists nine exemptions to such deletion requests which have broader application than those specified under the GDPR. These exemptions include the need to retain personal information (1) to complete the delivery of goods or services; (2) for protection against security incidents, fraud or illegal activity; and (3) ensuring the right of another consumer to exercise their right of free speech. Since the CCPA has just taken effect, it will take several years, and some guidance from the California attorney general, before the practical application of the nine vague and expansive exemptions can be judged. Some commentators have expressed the opinion that based on their plain language the nine exemptions may provide an opportunity for most companies to disregard the majority of requests for erasure.
New York's Anticipated Innovation
In 2019 the New York Privacy Act (NYPA) s5642 was introduced in the New York Senate following the lead of California. While this proposed legislation failed to pass in 2019, it introduced a new concept worthy of note. Generally, the bill provided for an affirmative "opt in" by consumers to have their personal data used for commercial purposes. Individuals could have personal data corrected for errors or deleted entirely. The proposed bill also provided for a private right of action against search engines or websites that violated the restrictions of the law. It also allowed successful plaintiff's to recover their reasonable attorney fees. This private right of action appears to have created significant industry objections, with dire predictions of a flood of meritless litigation. In contrast, the CCPA permits litigation to be brought against technology companies who violate the law only by the California attorney general.
One of the truly innovative aspects of the proposed NYPA was the introduction of the concept of a "data fiduciary." Under the law's provisions a new obligation would be created for companies collecting individuals' personal data. It is generally understood that personal data is collected by other fiduciaries, like lawyers or doctors, but they are under an obligation to only share the data when it is needed for a necessary professional purpose. Under the proposed statute companies who collect personal data would have an affirmative duty to protect the interests of the individuals whose data is harvested. Implicit would be the obligation to put their users' or customers' privacy ahead of their corporate profits. The key provision includes the following language:
Personal data of consumers shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent. Every legal entity, or any affiliate of such entity, and every controller and data broker, which collects, sells or licenses personal information of consumers, shall exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.
The concepts of acting "in the best interests of the consumer" combined with a private right of action, is a potentially volatile combination. Privacy professionals will be watching the 2020 Legislature closely to see if the concept of "data fiduciary" survives in the likely 2020 legislative initiatives in the field of technology privacy.
Peter Brown is the principal at Peter Brown & Associates. He is a co-author of "Computer Law: Drafting and Negotiating Forms and Agreements" (Law Journal Press).
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
The Unraveling of Sean Combs: How Legislation from the #MeToo Movement Brought Diddy Down
When It Comes to Local Law 97 Compliance, You’ve Gotta Have (Good) Faith
8 minute read
From ‘Deep Sadness’ to Little Concern, Gaetz’s Nomination Draws Sharp Reaction From Lawyers
7 minute read
Trending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
