News & Insights


November 12, 2018

Data, Privacy & Security Practice Report – November 12, 2018

Senate Proposes Privacy Bill To Mimic GDPR And Target CEOs – Senator Ron Wyden (D-Ore.) has proposed sweeping new legislation that would overhaul internet privacy protections in the United States in the same vein as the European Union General Data Protection Regulation (“GDPR”). The draft bill, introduced on November 1, 2018, is called the Consumer Data Privacy Act (“CDPA”), and, if enacted, would set minimum privacy and cybersecurity policies that companies would be mandated to follow. Those policies would be enforceable by the Federal Trade Commission (“FTC”), and any company that violated them, as well as their CEOs, would face harsh penalties.

The CDPA, which would apply to companies that generate more than $50 million in revenue and with personal data on more than 1 million people, would allow the FTC to create minimum standards for consumer privacy and data security. Similar to the GDPR, the bill also proposes to give consumers a way to review the data that companies have collected on them, as well all other companies, vendors, and business associates with which that data has been shared. Moreover, the CDPA would require large technology firms – those with revenues exceeding $1 billion or ones that store data on more than 50 million consumers or their devices – to submit “annual data protection reports” to the government that lay out their cybersecurity practices.

If a company fails to follow the FTC’s standards and regulations, the CDPA would empower the FTC to levy steep fines (up to 4% of annual revenue) against the company, similar to the fines permitted under the GDPR. The CDPA goes even further than the GDPR, however, in that it would create criminal penalties for CEOs and other senior executives who fail to follow the FTC’s regulations. Senior executives could face up to 20 years in prison, with individual fines reaching as high as $5 million for those executives who knowingly mislead regulators.

In a statement, Senator Wyden said his bill is a direct response to privacy scandals in recent years. “Today’s economy is a giant vacuum for your personal information – everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used, and how it’s shared,”  Wyden said. “It’s time for some sunshine on this shadowy network of information sharing. My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”

Reporter, Bethany L. Rupert, Atlanta, + 1 404 572 3525,  

Supreme Court Requests Supplemental Briefing On Standing Issue In Google Privacy Class Action – On November 6, 2018, the U.S. Supreme Court ordered post-argument supplemental briefing in Frank v. Gaos, No. 17-961 (U.S.). The primary question on which the Court granted certiorari in Frank is whether a class action settlement that contains cy pres relief, i.e., settlement funds that are not distributed to the class members but do not revert to the defendant, is fair, reasonable, and adequate under Rule 23(e)(2) of the Federal Rules of Civil Procedure. After hearing oral argument on October 31, the Court directed the parties and the Solicitor General to submit supplemental briefing on a threshold jurisdictional question, namely “Whether any named plaintiff has standing such that the federal courts have Article III jurisdiction over this dispute.”

The Frank caseis before the Court on a petition filed by certain class members, represented by Ted Frank, a “professional objector” who routinely objects to class action settlements in general and cy pres relief in particular. The underlying class complaint alleges that Google operates its search engine in a manner that violates the Stored Communications Act, which prohibits certain service providers from disclosing the contents of electronic communications. According to plaintiffs, a violation occurs because, when a user clicks on a link after conducting a Google search, the search engine allegedly discloses a user’s search terms, and potentially personal information, to third parties.

Although no named plaintiff alleged any concrete injury as a result of the alleged statutory violations, the District Court certified a settlement class on the premise that a statutory violation on its own is sufficient to satisfy the standing requirements of Article III of the U.S. Constitution. According to the District Court, the “injury required by Article III . . . can exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.”  The Ninth Circuit upheld the District Court’s approval of the proposed settlement.

The proposed settlement provided that Google would pay a total of $8.5 million and post information on its website about how users’ search terms are shared with third parties. A total of $3.2 million was set aside for attorneys’ fees, administration costs, and incentive payments to the named plaintiffs, with the remainder to be allocated to six cy pres recipients that have programs dedicated to Internet privacy: AARP, Inc.; the Berkman Center for Internet and Society at Harvard University; Carnegie Mellon University; the Illinois Institute of Technology Chicago-Kent College of Law Center for Information, Society and Policy; the Stanford Center for Internet and Society; and the World Privacy Forum. The objectors challenged the proposed settlement, arguing that cy pres settlements create unacceptable conflicts of interest between counsel, who profit from the attorneys’ fees, and the class members, who receive no monetary recovery from a settlement that releases their claims. The objectors also raised concerns that the cy pres settlement proposed to distribute the funds to institutions with close ties to class counsel.

After the Supreme Court granted certiorari, the Solicitor General filed an amicus brief in support of neither party, arguing that a substantial jurisdictional question exists. The government noted that the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), vacated a Ninth Circuit opinion that relied on the same standing analysis that had been applied by the Frank District Court. The government noted that Spokeo had rejected the premise that “a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” A similar argument was advanced by the U.S. Chamber of Commerce, represented by King & Spalding, in an amicus brief also filed on behalf of neither party, which raised concerns that lower courts continue to certify what are known as no-injury class actions. The Chamber took no position on the appropriateness of the particular cy pres settlement at issue, but argued that “the explosion of cy pres settlements in class-action litigation is symptomatic of a deeper problem—the failure of lower courts to comply with” Supreme Court precedent “and rigorously police the requirements of Rule 23,” including the requirement that class members must suffer actual, not abstract, harm.

At oral argument on October 31, several Justices expressed skepticism as to whether any of the named plaintiffs had alleged a concrete injury sufficient to establish standing under Spokeo. The objectors argued that plaintiffs had standing, but suggested that the Court should remand if it found that the complaint did not contain sufficient allegations to establish standing under Spokeo. The government, which was granted time to argue its position as an amicus, suggested that the Court could either remand or resolve the standing question on its own, while Google agreed with the government that “there’s a serious question about whether this action was ever properly in federal court and that the standing issue has to be addressed before the court could determine the questions presented.” Google added that the Court’s options are to dismiss as improvidently granted, remand, or decide the standing question on its own. Plaintiffs’ counsel suggested either remand or dismissal as improvidently granted, while noting that neither the District Court nor the Ninth Circuit had addressed standing under the Spokeo standard with respect to the Stored Communications Act claim or the other causes of action alleged by plaintiffs.

The parties’ and the government’s supplemental briefs are due November 30, 2018, with reply briefs due on December 21. The Court is expected to issue a decision before the end of its term in June 2019. The transcript from the October 31 oral argument is available here.

Reporter, Stephen R. Shin, Atlanta, +1 404 572 3502,

Second Annual Review Of The EU-U.S. Privacy Shield – On October 19, 2018, senior officials from the United States government, the European Commission (the “Commission”), and European data protection authorities met in Brussels for the second annual review of the EU-U.S. Privacy Shield framework (the “Shield”). Over two days, the officials discussed such important matters as the oversight and enforcement of the Shield and the collection of personal data by U.S. authorities for purposes of law enforcement or national security.

The Shield is designed to safeguard the rights of EU citizens whose personal data is transferred to the United States for commercial purposes by introducing additional protections such as requiring U.S. authorities to cooperate with European data protection authorities and providing mechanisms for redress to EU citizens whose data has been misused. The Commission, by way of an adequacy decision, has deemed that EU-to-U.S. data transfers handled in line with the Shield’s requirements comply with EU data protection laws. Joining the Shield is voluntary, but once a company has self-certified to the International Trade Administration within the U.S. Department of Commerce and publicly declared that it complies with the Shield’s requirements, the commitment is enforceable under U.S. law. Since the Shield came into effect on 1 August 2016, nearly 4,000 U.S. companies have self-certified.

The Shield is subject to an annual joint review by EU and U.S. officials to monitor its application and ensure that it remains effective. The first review identified a number of issues and, in December 2017, the Article 29 Working Party (which has since been replaced by the European Data Protection Board) gave the U.S. government until 25 May 2018 to address its “prioritized concerns.” In particular, the Working Party stated that the U.S. should appoint members to the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”) and an independent ombudsperson to review complaints from EU citizens.

Even though the U.S. has now taken corrective action in respect of the key concerns – the U.S. Senate confirmed three members, Adam Klein, Edward Felten, and Jane Nitze to the PCLOB on 11 October 2018, and on 28 September 2018, the U.S. State Department named Manisha Singh as the Privacy Shield Ombudsperson – the future of the Shield is far from certain. On 12 June 2018, the Civil Liberties, Justice and Home Affairs Committee of the European Parliament passed a Resolution recommending that the Commission suspend the Shield on the basis that it failed to provide enough protection. The Commission stated that the lack of sufficient oversight and supervision after self-certification risked leading to enforcement gaps, and called on the Commission to ensure that the Shield is compliant with the EU General Data Protection Regulation (“GDPR”) and that U.S. companies are not able to gain an unfair competitive advantage in this regard from the application of the Shield.

Further, following the introduction of the GDPR earlier this year, the EU seeks additional concessions from the U.S. concerning the collection, storage, and use of EU citizens’ personal data by U.S. government agencies and companies, and there are outstanding issues with respect to standard contractual clauses (“SCCs”). In April, the Irish High Court referred questions to the European Court of Justice for determination regarding the relevance of the Shield in assessing the adequacy of U.S. privacy safeguards related to SCCs, and whether the provision of the Shield ombudsperson and existing U.S. law ensure a remedy for EU citizens that is compatible with Article 47 of the Charter of Fundamental Rights of the European Union. A report of the second annual review is to be published before the end of the year.

Reporter, Jessica Trevellick, London, +44 20 7551 7507,


Impact Assessments, Territorial Scope, And EU-Japan Draft Adequacy Decision Top European Data Protection Board Meeting Agenda – The European Data Protection Authorities, assembled in the European Data Protection Board (“EDPB” or “Board”), met at their third plenary meeting held on the 26th of September. At its meeting, the Board agreed on common criteria for Data Protection Impact Assessments (“DPIA”), adopted new draft guidelines on the territorial scope of the EU’s General Data Protection Regulation (“GDPR”), and discussed the impact of the EU-Japan draft adequacy decision.

Under the GDPR, businesses must conduct a DPIA when data processing is likely to result in a “high risk” to the rights and freedoms of natural persons. Exactly what “high risk” entails, however, has been a difficult question to answer. After implementation of GDPR in May 2018, the supervisory authorities of the EU Member States submitted draft lists to the Board identifying data processing activities requiring DPIAs. The EDPB issued opinions on each of these lists aiming to create a non-exhaustive, harmonized approach and promoting consistency on processing throughout the EU. The EDPB’s opinions address, in particular, large-scale processing of biometric, genetic, and location data; data collected from third parties; employee monitoring; exceptions to information to be provided to the data subject; processing for scientific or historical purposes; and processing using new/innovative technology.

The Board also adopted at its third plenary meeting new draft guidelines to help provide a common interpretation of the territorial scope of the GDPR and provide further clarification on the application of the GDPR, in particular where the data controller or processor is established outside of the EU. The draft guidelines are eagerly awaited as GDPR’s broad scope—bringing under its ambit not only companies established in the EU, but also non-EU businesses offering goods and services to individuals in the EU—impacts in particular cross-border activities and leaves many questions on specific issues in the blur. So far, the draft guidelines have not been published, but we will report on the draft guidelines as soon as they will be open for public consultation.

Finally, the EDPB discussed the EU-Japan draft adequacy decision, on which we reported in our September 17, 2018 issue, and on which the Board has been asked to provide an opinion. The Board announced its intent to take into account the wide-ranging impact of the draft adequacy decision, as well as the need to protect personal data when reviewing the EU-Japan draft adequacy decision – which makes EDPB’s review another eagerly awaited opinion.

Reporter, Elisabeth Kohoutek, Frankfurt, +49 (69) 257 811 401,