On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018). Continue reading
On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU. Continue reading
On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments. Continue reading
In a recent decision, a California federal court held that an arbitration provision contained in Viacom, Inc.’s browsewrap agreement was unenforceable and denied Viacom’s request to stay the case pending arbitration. The court’s decision in Rushing v. Viacom, Inc. is consistent with “courts’ traditional reluctance to enforce browsewrap agreements against individual consumers.” Continue reading
The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud. Continue reading
The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive. Continue reading
Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018.
Here are three measures your organization ought to take in preparation for mandatory breach reporting:
1. Implement internal breach reporting and response protocols.
Organizations subject to PIPEDA will be required to separately report to individuals and to the Privacy Commissioner of Canada breaches of “security safeguards” involving personal information that pose “a real risk of significant harm” to individuals.
It is likely few employees in an organization will know about this requirement, or understand what sort of breach must be reported. Due diligence requires organizations to have a breach reporting procedure in place, and training on it, to ensure information concerning a breach can be handled appropriately. Studies on breaches demonstrate that employees can be the weakest link. Let your employees help you. Also, prompt recognition and escalation of a real issue, and notifying people affected by a breach that their information may have been compromised can be matters of good customer service.
2. Review and update third-party vendor and service provider agreements.
Your organization will be responsible for personal information under its control, which includes information held by your vendors and service providers. Most third-party services agreements do not contemplate the type of breach reporting up the chain from the service provider required to satisfy the lead organization’s breach reporting and record-keeping requirements.
Most organizations rely on their service providers to safeguard and manage sensitive information. Do not let gaps in your agreements result in a breach of notification or record-keeping requirements, or leave any potential for embarrassing reputational risks.
3. Develop a plan for record retention: do not create evidence or waive privilege.
The new regulations require an organization to maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred. This requirement is daunting and you may be asking yourself, “What is the extent of the records required?” and, “Are we just preserving evidence for a class action claim?”
The regulations say the records must contain any information that enables the Commissioner to verify compliance with the reporting requirements, particularly referencing the legal issue of whether it is reasonable in the circumstances to believe that the breach creates “a real risk of significant harm” to an individual. The Commissioner’s guidance on this point calls for a general description of the circumstances of the breach and, if a breach is not reported, a brief explanation as to why not.
Keeping the right records can be tricky. As demonstrated in Kaplan v. Casino Rama Services Inc., 2018 ONSC 3545, it may be too easy to waive privilege over investigation and forensics reports. You need a plan in place that will address the record-keeping requirements and help maintain privilege over records. Involve your legal counsel in the development of your incident response plans and breach response to ensure you get this right.
If you have questions about whether your organization is subject to PIPEDA and a particular data breach needs to be reported, you can ask Parker, our privacy chatbot.
A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google  EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation.
Most notably, the case:
- reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and
- makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those claims.
Recent discussion in the UK relating to data breach-related litigation has largely been focussed on the increasing risk of large-scale litigation arising from data breaches. While that risk has undoubtedly grown in the past few months due to recent case law and the implementation of GDPR, Lloyd serves as an important reminder that not all claims brought in these circumstances will be viable.
Background facts: the Safari Workaround
The Safari Workaround was essentially the subject-matter of Vidal-Hall v Google Inc  EWCA Civ 311  QB 1003. This was a high-profile case which established that compensation could be awarded to individuals under English law if they suffered non-pecuniary loss such as distress arising from a breach of data protection legislation.
The nature of the claim in Lloyd v Google
The representative claimant sought compensation arising from alleged breaches of the data protection principles set out in the Data Protection Act 1998 (the “Act”), committed by the implementation and operation of the Safari Workaround. In bringing the claim, the claimant relied on s13 of the Act which provides data subjects with a means of obtaining compensation should they suffer damage as a result of a contravention of the Act by a data controller. Warby J accepted that there may well have been an actionable breach committed as a result of the Safari Workaround, which could form the basis of a claim for compensation under the Act.
The “damage” requirement
Where the claimant’s position fell down, however, was their inability to demonstrate “damage” as a result of the alleged [tort] – which is a necessary element for any compensation to be awarded pursuant to the Act.
In this regard, the claimant would need to demonstrate material (i.e. pecuniary) loss, or emotional harm such as distress. However, the claimant sought to do neither—relying instead on the commission of the alleged tort (rather than its consequences) as the basis for seeking compensation. The judgment rejected the claimant’s position in stating as follows:
Even if the data controller had no justification for its conduct, and was thus in breach of duty, the remedy which the law requires does not have to be the remedy of compensation, if no consequences followed from the breach.
The judgment goes on to distinguish Lloyd from Vidal-Hall, in which the Court of Appeal concluded that compensation may be awarded where distress has been suffered as a result of a breach of duty. The Lloyd judgment makes clear that no such compensation can be awarded when a breach of duty has caused neither material loss nor emotional harm, and has had no other consequences for the data subject. In referring to previous case law in this area, the Lloyd judgment states as follows:
I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves… In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case.
It is clear from the above that any claims brought for compensation of this nature in future will need to be supported by compelling evidence of the damage incurred as a result of the alleged breaches of the legislation.
The claim was brought by the claimant on the basis that it should serve as a representative of a very broad class of potential claimants – which would potentially include all individuals who used the Safari browser in England & Wales while the Safari Workaround was ongoing. Estimates as to the size of this class vary but it is accepted that it would encompass several million individuals.
In order for a representative action to be brought in the English courts, the representative party and those whom that party represents need to have “the same interest in” the claim. In this case, the representative claimant and the potential class of claimants were not deemed to have the same interest in the claim—many claimants would not have suffered any damage at all and those who had suffered damage would not be considered to have suffered the “same” damage, given that each person’s position is inherently fact-specific. A representative claim could not therefore be brought on this basis.
In addition, the reasoning in the judgment was influenced by the fact that there had been essentially no interest from the purported class of claimants in seeking redress in respect of the Safari Workaround. This indicated that whatever the technical position as to the viability of a representative action, such an action would not serve as a means of avoiding a large number of similar claims clogging up the courts. On the contrary, the judgment found as follows:
“It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches…. the Representative Claimant should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”
Similar reasoning would most likely have been applied to the case had the claimant sought a Group Litigation Order in respect of the claim, which is another means by which the claims could have been pursued on a collective basis in the English courts.
Applicability to GDPR and the Data Protection Act 2018
It will be apparent from the above that Lloyd v Google was brought under the 1998 Act and therefore refers to the pre-GDPR legal landscape. However, the reasoning set out above would appear to apply equally to Art 82 GDPR and s168 of the Data Protection Act 2018, each of which contemplate compensation only in circumstances where “material or non-material damage” has been suffered. The judgment therefore appears to be of equal relevance to the new legal landscape as to the old.
Following Europe’s lead and some recent high profile scandals involving the use of personal information, California passed the California Consumer Privacy Act which goes into effect on January 1, 2020. (You can find our coverage of it here.) The law, the first of its kind in the US, is an omnibus privacy law for the state of California that grants individuals new rights in connection with their data – including, the right to erasure. Continue reading
On 13 September 2018 the UK government’s Department for Digital, Culture, Media & Sport published a notice, Data Protection If There’s No Brexit Deal (the Notice). The Notice sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EEA in the event that the UK leaves the EU in March 2019 with no exit agreement in place. If this happens, there would be no immediate change in the UK’s own data protection laws because the Data Protection Act 2018 would remain in place and – more importantly – the UK’s European Union (Withdrawal) Act 2018 would incorporate the GDPR into UK domestic law.
Under the GDPR, organisations are only permitted to transfer personal data outside the EEA if certain conditions are met. The least onerous route for the exporting entity is where the third country to which the proposed transfer is to be made has an adequate data protection regime in place, as assessed by the EU Commission in making an “adequacy decision”.
Once the UK becomes a third country by virtue of Brexit, EU organisations wishing to continue to send personal data to the UK will typically want to rely on such an adequacy decision. Conversely, under UK data protection law (as it currently stands), personal data could continue to flow from the UK to the EEA on the legal basis that EU data protection law is already adequate (in terms of the requirements of UK legislation). The Notice clarifies that this is how the UK government will interpret the export requirements under UK (although it notes that it will keep this under review).
The European Commission has stated that, if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision, allowing the transfer of personal data to the UK without restrictions.
However, if the European Commission has not made an adequacy decision regarding the UK at the point of Brexit (which is certainly possible in the event of a no-deal Brexit), the Notice suggests that UK businesses wishing to receive personal data from organisations established in the EEA should consider assisting its EEA counterpart in identifying an alternative legal basis for the EEA to UK transfers.
For the majority of UK businesses, the Notice suggests that the most relevant alternative legal basis for transfer to the UK would be the EU standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when included in a contract. The clauses contain contractual obligations on both the recipient of personal data (in this context, a UK business) and the EEA counterpart, and provide for directly enforceable rights for the individuals whose personal data is transferred in certain circumstances.
Given the inflexible nature of the EU data protection export regime and the time and effort it can take to re-paper data processing or sharing agreements, UK businesses should start to review client, business partner and intra-group agreements with EEA counterparties and consider incorporating EU standard contractual clauses covering data flows from the EEA counterparties to the UK now. These standard contractual clauses should bite should there be a “no deal Brexit” and the UK becomes a third country without an adequacy finding.
Businesses should also consider their contingency positions if personal data is unable to flow as freely from EEA subsidiaries to parent companies or European HQs established in the UK as it does today. For example, initial reviews for e-discovery for US litigation or regulatory disclosure might need to be undertaken in an EEA country rather than in the UK in these circumstances.
The work that businesses have undertaken to understand and map their processing to comply with the GDPR will make identifying impacted personal data operations more straightforward.
For more information on the Notice and the UK government’s guidance, see DCMS advises regarding continued UK-EU data flow upon a no deal Brexit.