Close
Enter your
text here

Privacy

Court Grants Motion to Compel Production of Telephone Records from Individual Plaintiff: eDiscovery Case Law

In Siemers v. BNSF Railway Co., No. 8:17-cv-360 (D. Neb. Apr. 8, 2019), Nebraska Magistrate Judge Susan M. Bazis finding that the plaintiff’s telephone records are discoverable pursuant to Fed. R. Civ. P. 26, that they are not subject to a privilege claim just because plaintiff’s counsel’s telephone number may appear in the records and that privacy issues are minimal to non-existent (since the at-issue records do not contain the substance of communications), ordered the plaintiff to produce his telephone records within one week of the order.

Case Background

In this case regarding the plaintiff’s suit against his former employer for alleged violations of the Federal Employers Liability Act (“FELA”), the defendant requested production of the plaintiff’s cellular telephone records from November 1, 2016 (the day before the claimed injury incident that is the basis of Plaintiff’s lawsuit) to present. After the plaintiff refused to produce any records in response to the defendant’s request, a discovery dispute conference was held in October 2018, with the Court finding that the plaintiff’s communications with coworkers or others from the defendant and telephone records evidencing the same were relevant and discoverable, and ordered the parties to further confer regarding production of these items.

The plaintiff then issued a subpoena to his cellular telephone provider and received a listing of incoming and outgoing telephone calls and text messages, but not the substance of any communications. Nonetheless, the plaintiff refused to produce to the defendant the telephone records produced to him in response to his subpoena.

In the final pretrial conference, the defendant argued that the records were discoverable because whether and how often plaintiff has communicated with BNSF coworkers or management since his alleged injury could have credibility considerations, that identifying the fact that a communication occurred between the plaintiff and his attorney was not privileged or, alternatively, that it was not unduly burdensome to redact those references and that no privacy interest was implicated in the telephone records because the records do not contain the substance of any communications.  The plaintiff argued that the defendant’s request was “overbroad on its face and therefore not reasonably calculated to lead to the discovery of relevant information” and also contended that the discovery sought by the defendant was “unreasonably cumulative or duplicative and could have been obtained from other sources that is more convenient, less burdensome, or less expensive.”

Judge’s Ruling

Considering the respective arguments, Judge Bazis ruled as follows:

  1. “Plaintiff’s telephone records from November 1, 2016 to present and any other records received by Plaintiff in response to his subpoena to his cellular telephone provider are discoverable pursuant to Fed. R. Civ. P. 26. BNSF is entitled to discover whether and how often Plaintiff has communicated with coworkers or BNSF management since his alleged injury.
  2. The fact that Plaintiff’s counsel’s telephone number may appear in the records does not render them subject to a privilege claim. Plaintiff may redact references to communications between Plaintiff and Plaintiff’s counsel, which the Court finds is not overly burdensome.
  3. Privacy considerations of Plaintiff or third parties not involved in this litigation are minimal to non-existent since the at-issue records do not contain the substance of communications.”

As a result, Judge Bazis ordered (in all caps, no less) the plaintiff “to produce to BNSF all records received in response to Plaintiff’s subpoena to his cellular telephone carrier” within one week of the order, noting that he could “redact references to communications between Plaintiff’s counsel and Plaintiff (but is not required to do so to maintain privilege claims regarding the substance of the communications).”

So, what do you think?  Was that appropriate or was the defendant’s request overbroad?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Data Privacy Compliance Isn’t Just for Europe or California Anymore: Data Privacy Trends

We have covered Europe’s General Data Protection Regulation (GDPR) over several posts the past couple of years and even conducted a webcast on the topic last year.  And, we have covered the California Consumer Privacy Act (CCPA) several times as well, including as recently as last week.  But, what about the rest of the wide, wide world?  Do countries in other parts of the world have data privacy policies as well?  Yes.  Do they mimic GDPR policies?  Not necessarily.

As reported in Legaltech News (Data Protection Laws Take Center Stage For Global GC, written by Caroline Spiezio), lawyers are saying that ignoring data privacy changes outside of Europe, or assuming GDPR policies will comply anywhere, may lead to fines or diminished consumer trust in other regions.  For example, Camila Tobón, a Colorado-based data privacy lawyer at Shook, Hardy & Bacon, said many countries in the Latin America follow a consent-based model, which doesn’t allow for the legitimate interest data collection case presented under GDPR. She said many Latin American countries with data privacy laws used Spain’s consent-based version of the 1995 Data Protection Directive (the predecessor to GDPR in Europe) to shape their regulations.

“When Spain incorporated the directive into their law, one noticeable change [from other EU countries] was the lack of legitimate interest for a basis for processing personal data,” Tobón said. “When most Latin American countries were starting to implement their laws in 1999, 2000, 2001, they used the Spanish law as a model, which didn’t include legitimate interest. So what you ended up seeing in Latin America was a consent-based model.”

However, Brazil’s General Data Protection Law, which passed in 2018, includes the case for legitimate interest collection, which closely aligns that country’s laws with Europe’s.  And, other countries in Latin America are working on changes as well.  Chile recently voted to create a national data protection authority. Panama’s National Assembly approved a national data protection regulation last year that currently awaits the president’s signature. An updated Argentine bill to bring the country’s data protection regulations closer to Europe’s with a legitimate interest model and data protection officer requirement is also in the works, with a draft standing in front of Congress.

Beyond Latin America, other countries are making (or considering making) changes as well.  The Corporate Counsel Association of South Africa’s chief executive officer Alison Lee said she expects to see the country implement the Protection of Personal Information Act this year.  Unlike GDPR, POPIA asserts companies also have “personal data” that requires protection. South Africa currently doesn’t require explicit consent to collect data or legitimate interest, but it does require some form of consent.  Nigeria could also see data protection changes, as it has long attempted to pass a specific data protection bill.

So, what about Asia Pacific (APAC)?  Scott Thiel, a Hong Kong-based DLA Piper partner, said, since GDPR’s implementation, he’s increasingly asked questions about data protection in Asia.

“Everyone is sort of finally taking a breath and going, ‘OK, we got through GDPR, we’re somewhere near compliance and that’s great. I assume that works everywhere, does it?’ And the short answer is no, it doesn’t,” Thiel said. “A lot of the approaches to data compliance that work in Europe don’t work in the Asian markets.”

He said many companies have tried applying their GDPR policies to China and other Asian countries and it “just doesn’t” work.  Like Latin America, much of East Asia relies on a consent-based model rather than legitimate interest, Thiel said.  Nonetheless, cybersecurity laws are changing in APAC, as well.  The article has several more details regarding data privacy changes in Latin America, Africa and APAC.  GDPR, with its heavy fines, has gotten a lot of the coverage regarding data privacy compliance, but you can’t ignore requirements in the rest of the world if you’re a multi-national company.  I’m sure Antarctica will come out with their data privacy laws any day now.  ;o)

So, what do you think?  Are you prepared for data privacy changes around the rest of the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Answers to Your Frequently Asked CCPA Questions: Data Privacy Best Practices

As we discussed last year (here and here), the California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect next January 1.  And, as we also reported recently, about half of surveyed companies haven’t even started preparing to be CCPA compliant.  Maybe that’s because they don’t know where to start to comply and don’t know whether the CCPA applies to their business, what rights will Californians have under CCPA and what impact CCPA will have on their privacy policy.  Here are answers to some of those questions.

In the Data Privacy Monitor site by Baker Hostetler (The California Consumer Privacy Act: Frequently Asked Questions, written by Alan L. Friel, Laura E. Jehl and Melinda L. McLellan), the authors address ten frequently asked questions that companies are asking about CCPA (if they’re not asking them, they should be).  Here are the questions they are addressing in this article:

  1. Does the CCPA apply to my business? What if we don’t have operations in California?
  2. Does the $25 million revenue threshold apply to California revenue specifically, or is it $25 million for the business as a whole?
  3. Will the CCPA be amended? What are the open issues?
  4. What new rights will the CCPA give to California residents?
  5. Will we need to amend our company’s online privacy policy?
  6. How do the “copycat” CCPA laws being proposed in other states compare with the CCPA?
  7. How does a business confirm that a person making an access or deletion request under the CCPA is a California resident, or who they claim to be?
  8. What should our company be focusing on right now, while we wait to see how these various state and federal law proposals shake out?
  9. What are the potential penalties for violations of the CCPA?
  10. Does my business qualify for one of the CCPA’s exceptions?

I won’t steal any thunder here – the authors give detailed and thoughtful answers to the questions that you will want to check out for yourself.

It’s interesting to note that there are at least 15 state data privacy laws that are working their way through the legislative process – some that are “virtually identical to the CCPA”, others that are similar, but with key differences.  As the authors note, the “prospect of having to comply with dozens of different state laws of this nature has fueled interest in a federal law to harmonize these proposals and provide businesses with clear compliance goals.”  That’s not surprising to me.

As the authors note in their conclusion: “A new era of consumer privacy rights has dawned in the U.S., and businesses will need to have a sound understanding of the personal information they collect, process, use and share to be able to comply with incoming rules and regulations.”  Given recent trends, it certainly appears that virtually every US business will be subject to new and developing data privacy laws sooner rather than later.

So, what do you think?  Is your company subject to CCPA?  If so, has it begun to address CCPA yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Rejects Carpenter Argument for Third Party Subpoena of Google Subscriber Info: eDiscovery Case Law

In U.S. v. Therrien, No. 2:18-cr-00085 (D. Vt. Mar. 13, 2019), Vermont District Judge Christina Reiss denied the defendant’s motion to suppress evidence obtained via a subpoena of Google for subscriber information, rejecting the defendant’s argument that the United States Supreme Court decision in Carpenter v. US forecloses the government’s ability to obtain this type of data without a warrant.

Case Background

In this case related to a one count Indictment against the defendant that he knowingly transported child pornography, an order for eighty-five photograph prints was placed with an online company in February 2018.  An employee of the online company’s outsource print provider informed the Federal Bureau of Investigations that it was concerned that some of the photographs may contain child pornography. Law enforcement subsequently discovered an e-mail address that was associated with the order.

A grand jury subpoena was issued in March 2018 to obtain subscriber information from Google pertaining to the account associated with the email address. In response, Google produced subscriber information, services utilized by the account, the date the account was created, the date and time of the last login, and the IP addresses associated with the account from December 6, 2017 through March 15, 2018. Asserting that law enforcement violated the Fourth Amendment in obtaining records from Google without a warrant, the defendant sought suppression of all evidence obtained pursuant to the grand jury subpoena, citing Carpenter v. US.

Judge’s Ruling

While noting that, in Carpenter, the Supreme Court held that cell-site location information (“CSLI”) was not subject to the third-party doctrine, Judge Reiss also noted that SCOTUS reasoned that “the notion that an individual has a reduced expectation of privacy in information knowingly shared with another” and that “reasoned that because there was no way for individuals possessing cell phones to avoid generating CSLI and because cell phones are now effectively a necessity of daily life, it was unreasonable to conclude that an individual voluntarily exposed CSLI information to a third party.”

Judge Reiss also observed that “Since Carpenter, courts have held that IP address information and similar information still fell ‘comfortably within the scope of the third-party doctrine’ because ‘[t]hey had no bearing on any person’s day-to-day movement’ and ‘[the defendant] lacked a reasonable expectation of privacy in that information.’”  Judge Reis cited several cases, including United States v. Rosenow, 2018 WL 6064949, at * 11 (S.D. Cal. Nov. 20, 2018), which said “The Court concludes that Defendant had no reasonable expectation of privacy in the subscriber information and the IP log-in information Defendant voluntarily provided to the online service providers in order to establish and maintain his account.”

As a result, Judge Reiss ruled as follows in denying the defendant’s motion to suppress the evidence obtained:

“In this case, law enforcement obtained information that an account holder voluntarily turned over to Google. This information is squarely within the third-party doctrine and requires a different result than in Carpenter. As a result, Defendant did not possess a reasonable expectation of privacy in the information obtained by law enforcement.”

So, what do you think?  Should people have a reasonable expectation of privacy for their email accounts in third party subpoenas?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

About Half of Surveyed Companies Haven’t Started Preparing for CCPA: Data Privacy Trends

Does this sound familiar?  Last week at the University of Florida E-Discovery Conference, I talked about the California Consumer Protection Act (CCPA) as one of the things that organizations need to be prepared to address these days as part of their compliance obligations.  Sounds like a lot of organizations haven’t gotten around to that just yet.

In an article in Legaltech® News (Almost Half of Companies Haven’t Started CCPA Compliance: Survey, written by Frank Ready), a recent survey of 250 executives and managers at U.S. technology, manufacturing, financial services, utilities and health care companies finds that 44 percent of companies that will impacted by the CCPA haven’t yet taken steps towards compliance.  Only 14 percent of respondents are fully CCPA compliant at this point.

The state’s forthcoming privacy regulation, which is scheduled to take effect next January 1st, empowers Californians with more control over the way their data is collected, shared or viewed by U.S. companies on a daily basis. According to the survey, a large majority of respondents, 71 percent, expect to spend at least $100,000 on compliance efforts. But consulting attorneys may not wind up seeing as much of that money as one might think.

The survey was conducted by Dimensional Research on behalf of the privacy compliance company TrustArc. Chris Bable, CEO of TrustArc, attributed some of the compliance delay to companies that have never had to wrap their heads around these issues before. While the European Union’s General Data Protection Regulation (GDPR) impacted only U.S. companies with business interests in Europe, the CCPA hits a little closer to home.

“One of the pieces that I had underestimated was truly the amount of companies that were not impacted by GDPR, so CCPA is their foray into doing this,” Babel said.

“The legal fees are going to play a role, but I don’t think the legal fee is going to be the largest chunk of the expense. It will really be the in-house kind of grind that needs to be done in order for the compliance steps to be in place,” said Jarno Vanto, a shareholder at Polsinelli.

The “grind” he’s referring to includes extensive work around understanding what data an organization holds and mapping the flow of that data. It also includes checking in with third party vendors and partners to determine what information they have access to as well.

So, how are companies planning on making the leap before the deadline? According to the survey, 72 percent of respondents plan on investing in some sort of technology to help smooth the way.  That doesn’t surprise me – as I discussed in Florida last week, Information Governance (IG) policies are vital to organizations’ ability to meet compliance obligations, but it’s going to take a combination of IG policies and technology for organizations to really get a handle on their data.

So, what do you think?  Are you surprised that so many companies haven’t begun to address CCPA yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

How Many States Have Security Breach Notification Laws? You Might Be Surprised: Cybersecurity Trends

Usually, I end each blog post with “So, what do you think?”, but this time I’m starting with it.  How many states do you think have some sort of legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information (PII)?  Ten?  Twenty?  Thirty?  You might be surprised.

According to a post by the National Conference of State Legislatures (NCSL) (hat tip to Joe Hodnicki of Law Librarian Blog for the link), all 50 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

That’s certainly good to know!

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

The NCSL post linked to above provides links to each of the states’ and territories’ legislation – some have a single law, code or statute to address the requirements, while others have more than one.  It’s a great reference if you ever have to determine what the laws are in a particular state or territory in terms of compliance requirements – which are already growing because of the General Data Protection Regulation (GDPR) that went into effect last year and the California Consumer Privacy Act (CCPA) which is slated to go into effect next January.  More and more, compliance discovery is becoming a strong emphasis for organizations that need to manage their risk.  It’s good to know that all of the states and territories have security breach laws – the next question is how well are they enforced?

So, what do you think?  Were you surprised that every state and territory has security breach laws?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

NY Appeals Court Extends Discoverability of Social Media Photos to “Tagged” Photos: eDiscovery Case Law

In Vasquez-Santos v. Mathew, 8210NIndex 158793/13 (N.Y. App. Div. Jan. 24, 2019), the New York Appellate Division, First Department panel “unanimously reversed” an order by the Supreme Court, New York County last June that denied the defendant’s motion to compel access by a third-party data mining company to plaintiff’s devices, email accounts, and social media accounts, so as to obtain photographs and other evidence of plaintiff engaging in physical activities and granted the defendant’s motion.

It’s rare that we can include the entire case opinion in our blog post, but, in perhaps the shortest case ruling we’ve ever covered, here is that case opinion.

“Private social media information can be discoverable to the extent it ‘contradicts or conflicts with [a] plaintiff’s alleged restrictions, disabilities, and losses, and other claims’ (Patterson v. Turner Const. Co., 88 A.D.3d 617, 618, 931 N.Y.S.2d 311 [1st Dept. 2011] ). Here, plaintiff, who at one time was a semi-professional basketball player, claims that he has become disabled as the result of the automobile accident at issue, such that he can no longer play basketball. Although plaintiff testified that pictures depicting him playing basketball, which were posted on social media after the accident, were in games played before the accident, defendant is entitled to discovery to rebut such claims and defend against plaintiff’s claims of injury. That plaintiff did not take the pictures himself is of no import. He was “tagged,” thus allowing him access to them, and others were sent to his phone. Plaintiff’s response to prior court orders, which consisted of a HIPAA authorization refused by Facebook, some obviously immaterial postings, and a vague affidavit claiming to no longer have the photographs, did not comply with his discovery obligations. The access to plaintiff’s accounts and devices, however, is appropriately limited in time, i.e., only those items posted or sent after the accident, and in subject matter, i.e., those items discussing or showing defendant engaging in basketball or other similar physical activities (see Forman v. Henkin, 30 N.Y.3d 656, 665, 70 N.Y.S.3d 157, 93 N.E.3d 882 [2018]; see also Abdur–Rahman v. Pollari, 107 A.D.3d 452, 454, 967 N.Y.S.2d 31 [1st Dept. 2013] ).

So, what do you think?  Should discoverability of photos be extended to photos where the party is “tagged” in the photo or should privacy concerns weigh heavier here?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Germans Order Facebook To Change How it Collects User Data: Data Privacy Trends

Two days, two stories about Germans finding fault with companies’ handling of personal data.

According to Law360 (Facebook Ruling Gives Antitrust Weight To Data Privacy, written by Ben Kochman – subscription required), Germany’s Federal Cartel Office ordered Facebook last week to give users the right to opt in or out before the company merges data gleaned from users’ activity on other websites and apps to their Facebook accounts. Facebook uses this type of data, including from its own WhatsApp and Instagram as well as from third-party websites with its “like” or “share” buttons, to amass detailed profiles on consumers that fuel its lucrative targeted advertising operation.

Facebook users can reasonably expect that the social network is monitoring its activity on the platform for targeted advertising purposes, the German regulator said. But to extend that tracking to third-party sites — including those that have the company’s invisible Facebook Analytics software installed — without asking users first amounts to “exploitative abuse,” it said, in which the company is abusing its unique position as a social media giant for which users have no real replacement.

“In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing,” FCO President Andreas Mundt said in a statement announcing the ruling.

The FCO explained its logic in a Q&A attached to the decision. Even though users do not suffer a financial loss from Facebook’s data collection, “the damage for the users lies in a loss of control,” the regulator said.

“They are no longer able to control how their personal data are used,” the authority wrote. “They cannot perceive which data from which sources are combined for which purposes with data from Facebook accounts and used e.g. for creating user profiles.”

“Due to the combining of the data, individual data gain a significance the user cannot foresee,” it added.

Facebook immediately pushed back, arguing in a blog post that the FCO “underestimates the fierce competition we face in Germany,” including from YouTube, Snapchat and Twitter.  The ruling “misapplies German competition law to set different rules that apply to only one company,” wrote the post by Yvonne Cunnane, head of data protection for Facebook Ireland, and company Associate General Counsel Nikhil Shanbhag. Facebook vowed to appeal the case and has a month to do so.

“There’s a sentiment issue here. People are developing feelings about Facebook, especially after what happened with Cambridge Analytica,” Pam Dixon, executive director of the World Privacy Forum (a consumer privacy nonprofit) said. “I wonder if Facebook is having a tin ear here to what its customer base really wants.”

So, what do you think?  Is this just the beginning of data privacy reform?  And, will “zee germans” have anything else to say about data privacy soon?  Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Columbia Pictures Corporation

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In Today’s Privacy Environment, That’s the Way the (Website) Cookie Crumbles: Data Privacy Trends

It’s only been three weeks, but we’ve already talked plenty about the first big GDPR fine of €50 million (or about $56.8 million) fine to Google for failing to comply with GDPR.  Sure, you’re thinking “that’s Google, I can see how they got fined, but nothing to worry about here”.  Right?  Well, you may want to think again.

As covered in Alston & Bird’s Privacy and Data Security Blog (Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration, written by Daniel Felz; hat tip to Rob Robinson’s Complex Discovery blog for the link), last week, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices.  None of these companies appear to be in Google-style tech industries.  The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry – and one that can carry GDPR fine risk.

In an online publication, the Bavarian DPA announced it had conducted a sweep of 40 large companies’ website cookie and user tracking practices.  While the identities of these companies have not been published (as is common in Continental European agency investigations), the Bavarian DPA identified the industries in which the companies were active – and no company was identified as a technology company.  Following its sweep, the Bavarian DPA announced that none of the 40 companies it had audited had built GDPR-compliant cookie/tracking practices into their websites.  As a result, the Bavarian DPA has announced it is considering GDPR fines.  The companies audited were from industries ranging from online retail to sports to banking & insurance to media, even automotive & electronics and home and residential.

The Bavarian DPA found the following violations:

  1. Websites lacked the transparency needed for “informed” cookie consent. 30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology;
  2. No “prior” consent was collected from users. The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website;
  3. The consent obtained was not sufficiently “active”. The Bavarian DPA’s position is that cookies and “tracking scripts” should be blocked until “the user has actively consented.” The interesting thing here is that the Bavarian DPA noted that most of the 40 websites used cookie banners to inform users about their use of cookies, but that none of these banners resulted in effective consent being collected from the user.  As the article notes, it may be that none of the websites integrated a cookie-blocking function prior to ‘consent events’ being logged.

As the article notes, the larger point of the Bavarian DPA’s action is that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators – and an issue that can generate fines.  Which means it should probably be a front-burner issue with companies out there as well.  Oh, and by the way, Alston & Bird’s blog also has a countdown to the effective date of the California Consumer Privacy Act (CCPA) — 328 days and counting by the time you read this, so get ready for more compliance challenges in the future.

So, what do you think?  Will this change how companies implement tracking cookies in their websites?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Relying on Interpretation of the SCA, Appeals Court Reverses Subpoenas Against Facebook: eDiscovery Case Law

In Facebook, Inc. v. Wint, No. 18-CO-958 (D.C. App. Jan. 3, 2019), the District of Columbia Court of Appeals, stating that “[t]he plain text of the SCA (Stored Communications Act) thus appears to foreclose Facebook from complying with Mr. Wint’s subpoenas”, concluded that the appellee “has not established the existence of a serious constitutional doubt that could warrant application of the doctrine of avoidance” reversing the trial court’s order holding Facebook in civil contempt for refusing to comply with subpoenas served by appellee Daron Wint.

Case Background

The appellee was charged with murder in D.C. Superior Court. Before trial, he filed an ex parte motion asking the trial court to authorize defense counsel to serve subpoenas duces tecum on Facebook and a Facebook subsidiary for records, including the contents of communications, relating to certain accounts. Facebook objected, arguing that the SCA prohibits Facebook from disclosing such information in response to a criminal defendant’s subpoena. The trial court approved the subpoena request and held Facebook in civil contempt for failing to comply.

The case was argued back before the appellate court back in October 2018.

Appeals Court Ruling

In the appellate court opinion issued by Associate Judge McLeese, he noted that “In the trial court, Mr. Wint argued that if the SCA were interpreted to preclude Facebook from complying with the subpoenas at issue, then the SCA would be unconstitutional. Mr. Wint has not renewed that argument in this court, however, and that argument therefore is not before us. Rather, Mr. Wint has argued in this court only that the SCA is properly interpreted to permit Facebook to comply.”  He also noted this:

“The SCA broadly prohibits providers from disclosing the contents of covered communications, stating that providers “shall not knowingly divulge to any person or entity the contents” of covered communications, except as provided…The SCA contains nine enumerated exceptions to this prohibition…Mr. Wint does not rely on any of those exceptions, and none of them applies in the present case. The plain text of the SCA thus appears to foreclose Facebook from complying with Mr. Wint’s subpoenas.  The structure of the SCA points to the same conclusion.”

The opinion also noted that Section 2702 (Voluntary disclosure of customer communications or records) and Section 2703 (Required disclosure of customer communications or records) of the SCA “appear to comprehensively address the circumstances in which providers may disclose covered communications. Those circumstances do not include complying with criminal defendants’ subpoenas.”  The opinion also noted that “Authority from other jurisdictions also favors a plain-language reading of the SCA. As far as we have determined, every court to consider the issue has concluded that the SCA’s general prohibition on disclosure of the contents of covered communications applies to criminal defendants’ subpoenas.”

The appellee pushed for an alternative interpretation of § 2702, which addressed only the circumstances in which providers may voluntarily disclose covered communications and did not address compliance with court-ordered disclosures, such as subpoenas. In support of this interpretation, the appellee relied on six principal contentions, which were discussed in detail in the opinion. However, the opinion stated:

“Although some of Mr. Wint’s contentions have some force, on balance we are not persuaded by Mr. Wint’s argument.”

As a result, the appellate court reversed the trial court’s order holding Facebook in civil contempt for refusing to comply with subpoenas served by the appellee.

So, what do you think?  Does the SCA, which has been in effect for over thirty years, adequately the rights to request data from providers in 2019?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.