News & Insights

Newsletter

July 11, 2017

Data, Privacy & Security Practice Report – July 11, 2017


Alaska Genetic Privacy Suit Survives Motion To Dismiss – On June 30, 2017, the U.S. District Court for the District of Alaska—in Cole v. Gene by Gene, Ltd., No. 1:14-CV-00004-SLG, 2017 WL 2838256, at *5 (D. Alaska June 30, 2017)—denied a motion to dismiss a putative class action lawsuit that alleged DNA testing company Gene by Gene Ltd. improperly disclosed the DNA test results of its customers without their consent in violation of Alaska’s Genetic Privacy Act. 

In 2013, Michael Cole purchased a DNA testing kit from Gene by Gene brand Family Tree DNA and, after viewing his results on the company’s website, signed up for several “projects,” which are online forums for people who are conducting research related to their ancestors.  Mr. Cole alleged that he understood that the project administrators would have access to his name, contact information, and testing kit number.  However, he was not informed that some project administrators had separate websites and that his full DNA test results would be disclosed on those sites.

Mr. Cole claimed that such disclosure violated Alaska’s Genetic Privacy Act, which prohibits the collection and analysis of DNA samples, and the retention or disclosure of DNA samples or DNA test results, without informed and written consent. Cole sought to certify a class of all Alaska residents who had their DNA results disclosed by Gene by Gene without written consent.

Gene by Gene filed a motion to dismiss the putative class action, contending that Mr. Cole lacked Article III standing because he suffered no actual injury. Under the U.S. Supreme Court's decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016), an alleged statutory violation is not enough to confer standing unless a plaintiff independently alleges a harm that is sufficiently “concrete.” 

U.S. District Judge Sharon L. Gleason rejected Gene by Gene’s argument and stated that although the disclosure of Mr. Cole’s DNA test results did not result in “tangible economic or physical harm,” it nevertheless was sufficiently “concrete” to establish an injury-in-fact. Spokeo requires that courts consider two factors in determining whether a statutory violation constitutes an injury-in-fact:  (1) whether the alleged intangible harm caused by the statutory violation bears a “close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,” and (2) congressional judgment in establishing the statutory right.

Judge Gleason held that Mr. Cole satisfied the first factor because his alleged injury is “closely related to torts that have been recognized in both federal and Alaska state courts.” Alaska’s Genetic Privacy Act recognizes an “exclusive property interest in one’s DNA and prohibits the unauthorized disclosure of DNA information.” Both the U.S. Court of Appeals for the Ninth Circuit and the Alaska Supreme Court have recognized a right to privacy that can be violated by disclosure of personal information.

Regarding the second factor, Judge Gleason pointed to three considerations that weighed in favor of granting a person in Mr. Cole’s position judicial relief:  (1) Alaska’s Genetic Privacy Act’s provision of a private right of action; (2) the availability of statutory damages in addition to any actual damages suffered; and (3) the substantive nature of the statutory right to a privacy interest in one’s DNA. Accordingly, Judge Gleason held that Mr. Cole’s injury was sufficiently concrete to confer standing and denied Gene by Gene’s motion to dismiss.

Reporter, Yelena Kotlarsky, New York, +1 212 556 2207, ykotlarsky@kslaw.com.

Texas Data Thieves Sentenced To Prison For $1.8 Million Fraud Scheme On June 30, 2017, the U.S. Attorney’s Office for the Southern District of Texas announced the sentencing of two men convicted of conspiring to claim up to $1.8 million in fraudulent income tax refunds from the Internal Revenue Service (“IRS”) using stolen personal information of numerous taxpayers. Jeffery Wahab Jubril and Sunday Quincy Usoh received 52- and 96-month sentences, respectively, and both will serve three (3) years of supervised release upon completion of their prison terms. The pair must also collectively pay more than $265,000 in restitution.

According to a criminal complaint filed against Jubril in May 2015, the scheme centered around stolen identity refund fraud (“SIRF”), which involves “theft of individual taxpayers’ identities; preparation of income tax returns that falsely purport to belong to those taxpayers; and filing of the false returns with the IRS in order to obtain tax refunds.” The complaint detailed how Jubril opened accounts at numerous banks throughout Texas, used stolen personal information of victims (including names, Social Security numbers, and birthdates) to file electronic tax returns with the IRS, and then directed tax refunds to his various bank accounts. An indictment against Jubril was filed in June 2015 charging him with theft of government money and aggravated identity theft, and a superseding indictment was filed in November 2015 adding Usoh as a co-defendant as well as a charge for conspiracy to defraud the government. Both defendants ultimately pleaded guilty in May 2016.

In the Department of Justice’s press release regarding the defendants’ sentencing, Special Agent in Charge Rick Goss of IRS Criminal Investigation unit credited the government’s use of “special investigative techniques to follow a crimes’ money trail . . . back to the perpetrator.” The IRS Criminal Investigation unit conducts initial investigations into tax refund fraud to gather evidence and then recommends prosecution to United States Attorney’s Offices nationwide. IRS statistics show that in 2015—the year Jubril and Usoh were investigated and indicted—the IRS initiated a total of 776 identity theft investigations, resulting in 790 individuals being sentenced to an average of 38 months of jail time. In 2016, the number of investigations initiated and individuals sentenced decreased slightly to 673 and 613, respectively, while the average sentence increased to 40 months.

Reporter, Robert D. Griest, Atlanta, +1 404 572 2824, rgriest@kslaw.com.

Civil Libertarians Seek Intelligence Sharing Agreement From NSA – On Wednesday, July 5, British nonprofit Privacy International filed suit in U.S. District Court for the District of Columbia against the National Security Agency (“NSA”), the Office of the Director of National Intelligence (“ODNI”), and other U.S. agencies under the Freedom of Information Act. The suit seeks a copy of the current agreement governing sharing of signals intelligence among the “Five Eyes” alliance of the United States, the United Kingdom, Canada, Australia, and New Zealand. If successful, this request could provide new insight to domestic and overseas privacy advocates on how intercepted information is shared and could influence regulators already wary of the United States’ practices in this area.

Privacy International’s suit arises from the long history of signals intelligence sharing between the United States and United Kingdom. In 1946, the countries executed an informal document, titled the United Kingdom-United States Communication Intelligence Agreement (the “UKUSA Agreement”), committing to share both signals intelligence itself and the techniques used to gather it. In 1955, the parties proposed a restatement of the UKUSA Agreement (which had by that time been joined by Canada, Australia, and New Zealand), and the NSA declassified records from those negotiations in 2010. These documents  represent the most recent version of the UKUSA Agreement available to the public.

In its complaint, Privacy International seeks to compel the NSA, the ODNI, the State Department, and the National Archives and Records Administration to provide the text of the UKUSA Agreement now in effect, as well as records on the defendants’ rules and policies governing their sharing of intelligence gathered from “operations relating to foreign communications.” The 1955 UKUSA Agreement defines “foreign communications” to include “communications of the Government … of a foreign country, or of any person or persons acting or purporting to act therefor, and … [redacted] communications originated by nationals of a foreign country which may contain information of value.”

Of course, the rise of the Internet has given the NSA and its overseas partners opportunities to gather intelligence in ways not anticipated in 1955, and these new technologies create new difficulties in determining whether participants in a communication are indeed foreign nationals. The same difficulty prompted the enactment of the of the Protect America Act of 2007 and the FISA Amendments Act of 2008, each of which require the United States to take measures to minimize the chance of intercepting communications from U.S. persons. (The complaint likewise requests records describing these minimization procedures.) Privacy International argues that requiring the disclosure of any privacy safeguards mandated by, or implemented under, the current UKUSA Agreement will aid the public in understanding their rights and advocating for any needed improvements.

Updated information on the UKUSA Agreement, if released, could add to the international debate on privacy protections and surveillance. For example, in 2015, the European Court of Justice invalidated the U.S.-EU Safe Harbor, which had permitted the processing of European personal data in the United States due to NSA surveillance programs publicized by Edward Snowden. The Safe Harbor’s replacement, the Privacy Shield, is itself subject to at least two similar challenges under European law, and the European Commission will conduct its first annual review of the new regime later this year. Even the publicity accompanying Privacy International’s initial filing could draw attention to the U.S.’surveillance practices, which could in turn threaten the Privacy Shield’s continued viability.

To view a copy of the complaint, click here.

Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, dray@kslaw.com.

UK Data Protection Authority Publishes International Strategy – The United Kingdom’s Information Commissioner’s Office (“ICO”) has published its international strategy for 2017-2021, which sets out the UK’s strategy for its relationship with the European Union on data privacy matters following Brexit and its ambitions for international relations on data privacy matters thereafter.

This publication comes at a time of significant scrutiny for the UK’s data privacy strategy, with questions around how the UK will align with the EU on data privacy matters following the decision for the UK to leave the EU, and how the UK will handle the impending introduction of the General Data Protection Regulation (“GDPR”) in the EU, widely considered to be the most far-reaching and detailed piece of legislation on data privacy to be passed anywhere in the world.

The ICO states that its strategy regarding the UK’s impending exit from the EU is “to operate as an effective and influential data protection authority at the EU level while the UK remains a member of the EU and when the UK has left the EU.” Whilst the UK makes clear its ambitions in this respect, the strategy document recognises that the UK’s role in the EU after Brexit will be shaped by the negotiations about the terms of the UK’s departure.

The strategy document also makes clear, after some debate, that the UK will implement the GDPR in May 2018 before the UK leaves the EU to ensure that “there is continuity and certainty about UK law afterwards.” 

The UK’s stated key strategic objective for international relations is to maintain its reputation as an influential and respected data protection authority internationally by continuing engagement with leading international privacy networks around the Commonwealth and exploring relationships with networks in the Asia Pacific region.

Lastly, the ICO sets itself the challenge of maintaining its high standards of data protection law and further, to continue to be recognised as a globally leading standard “to enable it to be a leading regulatory partner and to enable international data flows.”  Conceptually, the aim is for the UK to be viewed as a “global data protection gateway,” which the strategy document defines as a “country with a high standard of data protection law, which is effectively interoperable with different legal systems that protect international flows of data.”

This is an ambitious strategy, which clarifies the UK’s vision for what is to be an eventful period in data privacy law, marking a constitutional change for the UK with regard to its relationship with the EU and the increasing importance of the relationship between data and globalisation.

Reporter, Kim Roberts, London, +44 (0) 20 7551 2133, kroberts@kslaw.com.