Translate this page RSS Share this page Print this page


Data, Privacy & Security Practice Report – March 13, 2017

13 Mar 2017

Wireless Carriers Warn FCC That Net Neutrality For Texts Will Increase Spam – The Federal Communications Commission (“FCC”) is weighing the benefits of protecting SMS text messaging under Title II of the Communications Act of 1934, often referred to as the Open Internet rules, versus continuing to protect consumers from a potential bombardment of unwanted texts.  If the FCC reclassifies SMS text messaging as a common carrier service under Title II, it will impose net neutrality rules, which would prevent Internet providers from blocking or throttling text message traffic.  Twilio, a company that provides mass texting services to businesses, has been fighting for the FCC to clarify that texts should be regulated under the Open Internet rules.  Wireless industry players have recently responded that the change would hurt consumers.

Twilio provides services that allow customers to text with businesses, but its messages have repeatedly been blocked by wireless carriers.  According to Twilio, wireless carriers are simply leveraging their monopoly connections to increase the price of text messaging.  Twilio has been able to point to a recent study indicating that users overwhelmingly prefer text messages when communicating with brands.

Since Twilio first asked the FCC to unambiguously declare text messaging services as Title II services in August 2015, wireless carriers have opposed the change on the grounds of consumer protection.  Wireless carriers point out that they have reduced SMS spam significantly from its peak levels in 2012, and block hundreds of millions of spam text messages daily. The CTIA, an association of wireless carriers, has accused Twilio of “serving as the conduit for spam” and warned of subjecting Americans' smartphones “to the same degree of frivolous and exploitive content that many Americans’ email inboxes are subject to today.”

Companies like Remind, an automated text messaging service used by schools to communicate with students and parents, and Nomorobo, a service that blocks unwanted texts, have joined Twilio’s push to put text messaging under net neutrality rules.  If they are successful, wireless carriers will no longer be able to block text messages as spam.  The companies argue that wireless carriers are illegally blocking messages that users have solicited.  The companies also argue that customers can implement and customize their own spam blocking measures.  By contrast, last month, the CTIA noted that text messaging remains a trusted communications medium precisely because wireless service providers “have actively managed their platforms to protect consumers from spam or nuisance messages.”  The new Chairman of the FCC under President Trump, Ajit Pai, has indicated that he is generally opposed to net neutrality rules.

Reporter, Anush Emelianova, Atlanta, +1 404 572 4616, 

UK Privacy Regulator Addresses Data Protection Under The GDPR – On Monday, March 6, 2017, the UK’s Information Commissioner’s Office (“ICO”) held its annual Data Protection Practitioners’ Conference.  During the conference, Information Commissioner Elizabeth Denham, who was appointed to the role of Information Commissioner in July 2016, discussed the General Data Protection Regulation (“GDPR”), which will become effective in May 2018.  Denham’s remarks focused on the GDPR’s role in giving individuals stronger rights to be informed about how their personal information is used and emphasized the need for organizations that handle personal data to have a broader and deeper sense of accountability for the way they handle that data.

In her remarks, Denham highlighted a few examples of organizations that are “getting it wrong” under the current data protection regime.  The common thread among her examples were “organizations failing to put customers first.”  Going forward, however, GDPR will “put even more of an onus on organizations to understand and respect the personal privacy rights of consumers.”  While noting that the GDPR imposes specific new obligations on organizations, including obligations related to reporting data breaches and transferring data across borders, Denham believes that the “real change for organizations is understanding the new rights for consumers.”  Specifically, under GDPR, consumers and citizens will have stronger rights to be informed about how organizations use their personal data.

According to Denham, those with responsibility for the protection of data within an organization must ensure that accountability for data protection is prioritized at all levels of an organization – referred to in the GDPR as “accountability by design.”  Denham also emphasized that while the greater enforcement powers that the GDPR gives to regulators, including significantly increased monetary fines, is one way to make data protection a priority, organizations should see a real business benefit to getting data protection right to achieve both legal compliance and competitive advantage.

Denham also referenced the ICO’s new published draft guidance relating to the requirements for obtaining consent under the GDPR.  The draft guidance was published on March 2, 2017, and the ICO is seeking comments on it through March 31, 2017.  The ICO has stated that the draft guidance is the first in what is planned to be an ongoing series of publications by the ICO addressing various topics related to the implementation of the GDPR and the ICO’s recommendations on implementation.  The guidance on consent (1) details what counts as valid consent; (2) gives practical advice on deciding when to rely on consent and when to look for alternative legal bases for data processing; and (3) explains the key differences between the new requirements under the GDPR and the existing requirements under the Data Protection Act (the existing legislation which enacts the provisions of the Data Protection Directive in the UK).

In a press release announcing the release of the draft, Jo Pedder, the ICO’s interim head of policy and engagement, explained that the GDPR sets a higher and more detailed standard for consent; one that will require organizations to reassess and revise their current practices for obtaining and maintaining valid consent.  The ICO explained that companies that rely on consent as the lawful basis for their processing activities must offer individuals genuine choice and control.  Consent is only valid if it is freely given.  Consent likely will not be valid under the GDPR if it does not meet each of the following requirements:

  • Positive opt-in is required for effective consent, which means that valid consent cannot be obtained by default, including the use of pre-ticked boxes or other similar methods to obtaining consent by default.
  • Consent requests should be documented separately from other terms and conditions.
  • Consent requests should be specific and granular as well as clear and concise.
  • Consent requests must identify by name any third parties that will rely on the consent.
  • Consent requests must tell individuals that they can withdraw consent and should tell them how to do so.  It must be as easy for the individual to withdraw consent as it was to give it in the first place.
  • Consent cannot be a precondition of the provision of a service unless it can be shown that it is necessary for that service.

Organizations must also keep detailed evidence of consents, including who consented, when they consented, and what they were told at the time they consented.

The draft guidance also provides insight into when consent might not be the most appropriate legal basis for data processing.  For example, public authorities, employers, and others in a position of power over data subjects may have difficulty meeting the requirements for establishing that consent has been validly and freely given.  Under the GDPR, the limited circumstances in which personal data can be processed without consent are (1) if it is necessary for fulfilling obligations under a supply or employment contract; (2) for complying with a legal obligation; (3) for carrying out official public duties; or (4) if there is a “genuine and legitimate reason” that is not outweighed by harm to the individual's rights and interests.

Finally, Denham acknowledged in her remarks that, post-Brexit, the UK may face challenges related to the flow of data across global borders, as different legal systems and cultural norms about privacy complicate things.  However, she noted that the ICO is committed to making sure the ICO as the UK regulator sets a standard for data protection in the UK that is equivalent to the EU’s standard.

Reporter, Ashley B Guffey, Atlanta, + 1 404 572 2763, 

Bipartisan State Cyber Resiliency Act Will Help Local Governments Defend Against And Recover From Cyber Attacks – On March 2, 2017 lawmakers in both the U.S. Senate and U.S. House of Representatives introduced the State Cyber Resiliency Act, which would give state, local, and tribal governments grants to boost cybersecurity protections.  The proposed grants will help states draft cyber resiliency plans to identify, detect, protect against, and recover from threats to cyber security.  It also would encourage states to invest in cybersecurity workforces. 

The Act was introduced by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) and Representatives Derek Kilmer (D-WA) and Barbara Comstock (R-VA).  In announcing the legislation, the lawmakers noted that a 2015 study found that fifty percent of state and local governments faced between six and 25 cyber breaches in the previous two years, and attacks on state and local governments are growing in frequency.  This growing threat has presented challenges for local governments that often manage substantial amounts of sensitive data, including with respect to vital infrastructure, public safety systems, and voting.  The lawmakers specifically noted that hackers have breached more than 200,000 personal voter records in Arizona and Illinois.

Reporter, Drew Crawford, Washington, DC, +1 202 626 5512,  

EU Commissioner - President Trump Set To Discuss Future Of Privacy Shield Accord —European Union (“EU”) Commissioner Věra Jourová will meet with U.S. President Donald Trump this month to discuss the future of the EU-U.S. Privacy Shield (“Privacy Shield”) accord which imposes obligations on U.S. companies on the protection of personal data of EU citizens. It also requires the U.S. to monitor and enforce EU data protection rules robustly, and cooperate more with European Data Protection Authorities.

The Privacy Shield was enacted to replace the EU Safe Harbor Agreement, which was established in 2000. The European Court of Justice annulled the EU Safe Harbor Agreement in October 2015, holding that the previous data transfer framework failed to adequately offer sufficient safeguards to protect the privacy rights of EU citizens. Unlike the prior safe harbor accord, amongst other enhanced protections, the Privacy Shield requires written commitments and assurances regarding access to data by public authorities.

On January 25th, 2017, President Trump issued an Executive Order, entitled Enhancing Public Safety in the Interior of the United States, directing U.S. agencies to “ensure that their privacy policies exclude persons who are not United States citizens.” The European Commission (“EU Commission”) requested clarification from the United States on February 7, 2017, that EU citizens would not be affected under the executive order. Following the request, the Federal Trade Commission and U.S. Department of Justice assured Commissioner Jourová and the EU Commission that the United States is committed to the Privacy Shield. In a letter to Commissioner Jourová, the American Civil Liberties Union and Human Rights Watch urged the EU Commission to re-examine whether the Privacy Shield sufficiently protects the fundamental rights of people in the EU following the January 25, 2017 Executive Order.

Commissioner Jourová has pledged to engage in a dialogue with President Trump at the Privacy Shield meeting this month and will seek “reconfirmation and reassurances” from the United States, because the EU “expects continuity.” Commissioner Jourová has warned that “unpredictability is a problem,” and the EU will consider withdrawal from the Privacy Shield if “there is a significant change” under the Trump Administration.

Reporter, Ahmad M. Asir, Silicon Valley, +1 650 422 6709, 

District Court Grants Motion To Dismiss Because FCRA Plaintiff Failed To Allege Concrete Injuries – On March 1, 2017, the United States District Court for the District of Minnesota granted a motion to dismiss a lawsuit predicated on alleged violations of the Fair Credit Reporting Act (“FCRA” or the “Act”).  If a person plans to run a consumer report, including a criminal background check for employment purposes, the Act requires the person to (1) provide a clear and conspicuous written disclosure, in a document that only contains that disclosure, that a consumer report is allowed to be obtained for employment purposes; and (2) obtain written authorization to procure the report from the target of the report. The Act permits plaintiffs who have suffered no actual damages to obtain statutory damages for willful violations of the Act.

The plaintiff, Maxine Fields, is a former employee of Golden LivingCenter-Hopkins, one of the defendants to the action. While going through the logistics of being hired, the plaintiff completed a background check authorization form. After completing that form, Golden LivingCenter-Hopkins directed an affiliate to obtain a criminal background check on the plaintiff.

According to the plaintiff, the defendants willfully violated the FCRA because they failed to (1) tell her what type of report they planned to obtain; (2) tell her who would obtain the report; and (3) provide her those two pieces of information clearly and conspicuously through a stand-alone disclosure document. Moreover, the plaintiff contended that those three failures amounted to three informational injuries and one invasion-of-privacy injury, all of which were concrete for the purposes of the injury-in-fact requirement of Article III.

The defendants moved to dismiss and argued, among other things, that the court lacked subject matter jurisdiction. According to the defendants, because of Spokeo, Inc. v. Robins, the plaintiff’s alleged injuries were not concrete and therefore did not satisfy the injury-in-fact requirement of Article III standing.

After taking account of Spokeo, the court concluded that the FCRA gives consumers a substantive right to receive certain information in a non-confusing manner. The court, however, determined that the plaintiff’s three alleged informational injuries did not satisfy the injury-in-fact requirement of Article III standing because they were not concrete.

First, the plaintiff argued that she suffered a concrete injury by not knowing who would procure the report. To evaluate that contention, the court examined the statute and found nothing that obligated the defendants to tell the plaintiff the identity of who would procure the report. Because the defendants were not obligated to share that information with the plaintiff, the court concluded that not sharing that information with the plaintiff did not cause her to suffer a concrete injury.

Second, the plaintiff argued that she suffered a concrete injury by not knowing what type of report the defendants planned to obtain. Specifically, the plaintiff contended that the authorization form she completed did not indicate that the defendants would obtain a criminal background check. The court, however, observed that the authorization form, in two places, indicated that a criminal background check would be performed. Because the authorization form did indicate the type of report the defendants planned to obtain, the court concluded that the plaintiff’s second alleged informational injury was not a concrete injury.

Third, the plaintiff argued that she suffered a concrete injury because the defendants did not give her a stand-alone disclosure document that was clear and conspicuous. To evaluate that contention, the court observed that for a plaintiff to predicate a FCRA violation on the presentation of a disclosure, the plaintiff must demonstrate that the disclosure deprived her of information she was entitled to receive or the disclosure confused her. According to the court, the disclosure did not deprive the plaintiff of information she was entitled to receive. Additionally, the court determined that the plaintiff did not allege that the disclosure confused her. The court, therefore, concluded that the defendants’ presentation of the disclosure did not cause the plaintiff to suffer a concrete injury.

In addition to concrete informational injuries, the plaintiff argued that she suffered a concrete invasion-of-privacy injury. Specifically, the plaintiff contended that the defendants invaded her privacy when they obtained information about her criminal history without her statutorily required consent. Because the plaintiff voluntarily disclosed her criminal history — which was that she did not have any criminal history — and the defendants’ criminal background check showed that the plaintiff had no criminal history, the court concluded that the plaintiff had not suffered a concrete invasion-of-privacy injury.

This case is noteworthy because it adds to the ongoing discussion among courts about what, in the post-Spokeo world, counts as a concrete injury for the injury-in-fact requirement of Article III standing. This case joins others that have concluded that for an alleged FCRA informational injury to be a concrete injury, the plaintiff must demonstrate that the disputed disclosure confused her or lacked information she was statutorily entitled to receive. This area of the law, however, is still developing, and several courts have reached conflicting conclusions about what counts as a concrete injury for the purposes of the injury-in-fact requirement of Article III standing.

A copy of the Court’s decision is available here.

Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, 


King & Spalding’s 2017 Cybersecurity & Privacy Summit – On Monday, April 24, 2017, please join the cybersecurity and privacy experts at King & Spalding for the 2017 Cybersecurity & Privacy Summit.  This event is for legal and business professionals who want to participate in a discussion about the latest developments and strategies for data protection.  King & Spalding will provide a registration link in the coming weeks.