BLOGS: Communications, Tech & Media Review

Wednesday, July 27, 2016, 10:20 AM

A Fragile Shield? Managing the Risks of EU-U.S. Data Transfer

By Doug Bonner

Following European Commission adoption of the Privacy Shield on July 12, 2016, and with Privacy Shield self-certification poised to open for business organizations on August 1, 2016 as a replacement for the invalidated EU-U.S. Safe Harbor mechanism, U.S. businesses are actively evaluating the commitments they will need to make to self-certify (and to annually re-certify) under the Privacy Shield in order to receive personal data from the EU. There are important considerations in evaluating self-certification under the Privacy Shield, including the financial and time costs for self-certification. For example, a Privacy Shield-compliant privacy policy statement must be effective and publicly available before certification, and other oversight and enforcement mechanisms must be in place to ensure compliance with the Privacy Shield’s privacy principles. Furthermore, U.S. organizations must have written agreements with onward recipients of personal data guaranteeing the same level of protection as they self-certify to under the Privacy Shield Principles, requiring negotiation of those separate agreements. A nine month grace period is available to organizations that self-certify within the first two months of the Privacy Shield effective date, a powerful incentive for organizations with a substantial number of pre-existing third party commercial relationships to self-certify early.

Still, despite the additional burdens imposed upon self-certifying businesses, the Privacy Shield is likely to face legal challenge from privacy advocates in the EU who consider the Shield inadequate protection for personal data in response to the European Court of Justice (“ECJ”) decision in October 2015 invalidating the Safe Harbor. In the meantime, the EU Standard Contractual Clauses (the “Model Clauses”), another mechanism by which personal data can be lawfully transferred outside the EU, are the subject of a complaint being reviewed by the ECJ. With that backdrop, should companies with Model Clauses already in place self-certify under the Privacy Shield? Should the Privacy Shield replace or instead buttress the use of Model Clauses? There are also steps EU organizations can take to protect themselves against a successful challenge, either to the Model Clauses or to the Privacy Shield. Finally, for businesses operating in the UK, the Brexit vote creates uncertainty about whether the Privacy Shield mechanism will be available to them depending upon when and how UK withdrawal from the EU occurs. Certain actions will likely need to be taken by the UK to benefit from the Privacy Shield on an ongoing basis following withdrawal from the EU.

Our Womble Carlyle Privacy and Data Protection Team experts have been discussing these issues with our counterparts in our U.K. strategic partner firm Bond Dickinson and highlight areas where specific, targeted advice and collaborative thinking will benefit our clients.

For the full version of this client alert please click here.

Labels: , , ,

Wednesday, July 13, 2016, 12:04 PM

Spokeo Injury Requirement May Not Be TCPA Silver Bullet Some Had Predicted, But Nonetheless Dooms Claims of Serial Plaintiff

            While many legal analysts predicted the potential demise of TCPA litigation in the wake of the Supreme Court’s Spokeo v. Robins decision in May, as it turns out with all things TCPA, the reality looks to be a bit more nuanced, though the Spokeo decision does appear to pose some particular challenges for serial TCPA plaintiffs.    In Spokeo, the Supreme Court held that Article III standing requires a plaintiff to show injury that is both “concrete” and “particularized.”  For TCPA plaintiffs, the issue post- Spokeo is whether the plaintiff can show that they suffered concrete injury as a result of a TCPA violation, beyond the statutory violation itself.

In a prescient order pre-Spokeo anticipating how the Supreme Court would rule, a California district court in Henderson v. United Student Aid Funds, Inc. declined to stay the case pending decision in Spokeo, finding that the plaintiff could show a number of concrete harms from the TCPA violation.  More recently, in a series of Post-Spokeo cases, plaintiffs have had little difficulty, with one exception, satisfying courts that unlawful robocalls can result in a concrete injury.

In late May, a federal court in Booth v. Appstack found that time wasted spent answering or addressing robocalls is enough for a concrete injury.  In June, a Georgia district court in Rogers v. Capital One Bank (USA) found that a violation of the TCPA was a concrete injury because the busy plaintiff’s cell phone lines were unavailable during the time of the unwanted call.  And most recently in Diana Mey v. Got Warranty Inc., a West Virginia district court held that receiving an unwanted robocall could cause a concrete harm by causing a monetary injury by using cell phone minutes from a limited plan or causing the consumer to incur charges for a call.  The court also found sufficiently concrete the alleged injury caused by increased call activity from depletion of a cell phone’s battery, and the resulting cost to recharge the phone.  As these cases illustrate, the “concrete” and “particularized” injury required for a TCPA violation to be actionable after Spokeo appears to be a fairly low hurdle, but it is a hurdle nonetheless.  

Such was the case for a serial TCPA plaintiff who was recently tripped up by the Spokeo concrete and particularized injury requirements.  In Stoops v. Wells Fargo Bank, N.A. the Western District of Pennsylvania found that a “professional plaintiff” who admitted to filing TCPA actions “as a business” had not suffered an injury-in-fact from calls alleged to violate the TCPA, and therefore lacked Article III standing sufficient to bring a claim.  In Stoops, the plaintiff testified that she had filed at least eleven TCPA claims in the Western District and admitted that she had only purchased cell phones and minutes to receive more calls and enable more lawsuits.  The court found that the plaintiff had not suffered a violation of her legally protected privacy right interests because she was filing TCPA actions as a business.  Nor did she suffer economic injury, since she was purchasing cell phones and minutes to receive calls that enabled her TCPA suits, and it could hardly be said that calls she was hoping to receive caused her actual economic harm.

Labels: , , , ,

back to top