Data Protection Law Compliance

Jeffrey L. Widman writes:

Fingerprint scanner, illustrating concept of biometricsIn 2008, the Illinois legislature enacted the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) to provide standards of conduct for private entities in connection with the collection and possession of “biometric identifiers and information.” BIPA regulates the collection, use, safeguarding, handling, storage, retention and destruction of such biometric identifiers. Biometric identifiers include retina and iris scans, fingerprints, voiceprints, and scans of hands and faces. It does not include writing samples, signatures, photographs, physical descriptions or biological materials used for medical or scientific purposes.

BIPA’s Requirements

Significantly, BIPA does not prohibit the collection or purchase of biometric identifiers. Instead, BIPA requires private entities to develop written policies to establishing a retention schedule and guidelines for the destruction of such biometric identifiers. BIPA also imposes a set of guidelines with which the entities that do possess such biometric identifiers must comply. These include requirements that such entities:

  • Inform individuals in writing that the information is being collected or stored;
  • Inform individuals in writing of the purpose and length of time for which the information is being collected and stored; and
  • Obtain written consent from individuals whose biometric information is collected;

BIPA also prohibits entities that possess biometric identifiers from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure, the disclosure completes a financial transaction authorized by the individual, the disclosure is required by municipal, state or federal law or the disclosure is required in response to a warrant or subpoena.

The Recent Onslaught of BIPA Class Actions

Although BIPA provides a private right of action to individuals aggrieved by a violation of the Act, plaintiff’s attorneys essentially ignored BIPA from 2008 through 2016 and few lawsuits were brought on behalf of aggrieved individuals. However, in the past year, more than 30 class actions have been filed in Illinois for purported BIPA violations. Why the trend? For one, BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees. Accordingly, BIPA is a prime target for members of the plaintiff’s bar.

Although there is little case law interpreting BIPA, the Illinois Appellate Court issued its first opinion in December 2017 addressing the Act. In Rosenbach v. Six Flags Entertainment Corp., 2017 IL App. (2d) 170317, the court, citing several Federal Court decisions, dismissed a plaintiff’s BIPA claim for failure to state a claim due to the her inability to cite actual damages. In so holding, the Court focused on whether an individual is “aggrieved” (as required by BIPA) if he or she alleges that biometric information was collected without consent, but does not allege actual injury. In dismissing the case, the appellate court found that mere technical violations are not actionable since a plaintiff is not “aggrieved” as the plain language of BIPA requires. While the opinion may deter some cases from being filed, it certainly leaves the door open for claims of actual damage and we expect BIPA cases to continue to be filed in the near future.


Jeffrey L. Widman is a partner in the firm’s Litigation Department, based in its Chicago office.

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018.  This gives companies only two months to prepare for and comply with the GDPR. Companies should be conducting data mapping to identify all cross-border transfers of personal data so that they can determine the best way to comply with the GDPR requirements.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRThe GDPR has been, perhaps, the most widely talked about privacy regulation for the past year and a half after it was approved by the EU Parliament on April 14, 2016 because of the sweeping changes it will bring to how the global digital economy operates with regard to processing personal data. GDPR will apply to all EU-based companies, irrespective of whether personal data is processed inside or outside of the EU. The GDPR will also apply to companies outside the EU that offer goods or services to individuals in the EU and/or that monitor or track the online behavior or activities of individuals in the EU.

Any transfer of personal data to a third country can take place only if certain conditions are met by the data exporter and the data importer. If a company is transferring EU personal data outside of the EU, that company must identify a valid transfer mechanism to legally transfer that personal data.  The most widely used transfer mechanisms are: (1) transfers within the EU and adequacy rulings; (2) appropriate safeguards; and (3) derogations.

Transfers Within the EU and Adequacy Rulings

Under GDPR, personal data can be moved between EU member states (and Norway, Liechtenstein, and Iceland) without restriction.

Cross-border transfers may also take place without a need to obtain further authorization if the European Commission determines that the third country’s body of national law ensures an adequate level of protection for personal data. The European Commission considers several factors when determining if the country has an adequate level of protection, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order and criminal law.

Appropriate Safeguards

In the absence of an adequacy determination, cross border personal data transfers are permitted if the controller and processor use EU-approved safeguards. The most widely used transfer mechanisms are binding corporate rules, model contractual clauses, and certification mechanisms (e.g. Privacy Shield).

Binding corporate rules (BCRs) are internal codes of conduct adopted by multinational companies to allow transfers between different branches of the organization. BCRs are a favored mechanism because of their flexibility, ability for tailored customization, and a lower administrative burden once implemented.

Model contractual clauses are legal terms contained in a template data processing agreement drafted and ratified by the EU. Model contractual clauses can be burdensome because companies are required to enter new model contractual clauses to cover each new third party and each new purpose for processing or transfer.

Because the European Commission does not recognize the U.S. as an adequate third country, U.S. companies can comply by certifying under the EU-U.S. Privacy Shield that they meet the high data protection standards set out in the Privacy Shield.  The Privacy Shield remains subject to the same criticism that ultimately resulted in the downfall of its predecessor (Safe Harbor), that it does not fully protect the fundamental rights of individuals provided under EU privacy laws.

Derogations

In the absence of either an adequacy decision or the implementation of an appropriate safeguard, a cross-border transfer can still take place in limited circumstances, where an exception applies. These circumstances include situations where the individual explicitly consents after having been informed of the risks of data transfer in the absence of an adequacy decision and appropriate safeguards, the transfer is necessary for the performance of a contract between the parties, or if the transfer is necessary for important reasons of public interest. The permitted derogations are fact-specific and are generally not intended to be relied upon as a company’s primary transfer mechanism.

Guidance for GDPR Compliance

Transferring personal data out of the EU without a valid transfer mechanism can result in significant fines and increased regulatory oversight.  Beginning on May 26, 2018, compliance with the GDPR will be essential for companies engaging in cross-border transfers of personal data.

To comply with the GDPR, companies should first identify and map all cross-border data flows.  Companies should then examine and assess for each of these flows whether the receiving country is in the EU (and Norway, Liechtenstein and Iceland) or is otherwise deemed adequate.  If not, the company should consider whether any appropriate safeguards have been put in place, and/or whether any specific derogations apply.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on CFO.com, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

Last year saw multiple high-profile data breaches, enough to place cybersecurity atop any in-house attorney’s 2018 priority list.

But the threat posed by hackers isn’t the only cyber concern on the minds of in-house counsel this year, reports Corporate Counsel magazine.

In the regulatory realm, complying with the European Union’s General Data Protection Regulation, which takes effect in May,  is expected to be companies’ top data privacy task of 2018. But it’s not the only one. The Chinese government also plans to impose new, below-the-radar data privacy regs that will make companies jump through another set of legal hoops.

The legal implications of new technologies, such as fitness devices that blur the line between medical and personal data collection, are also expected to challenge corporate counsel. And groundbreaking legal cases could change the law regarding who has standing to sue following a data breach in the U.S. and whether companies can use standard contractual clauses to transfer personal data out of Europe.

A number of employers in Illinois are involved in pending class action litigation regarding violations of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (the “BIPA”). The BIPA, which was enacted in 2008, addresses the collection, use and retention of biometric information by private entities. Any information that is captured, stored, or shared based on a person’s biometric identifiers, such as fingerprints, iris scans, or blood type, is considered “biometric information.” The Illinois Legislature enacted the BIPA because biometric information is unlike any other unique identifier in that it can never be changed, even once it has been compromised.

The BIPA requires that, before a private entity can obtain and/or possess an individual’s biometric information, it must first inform the individual, or the individual’s legally authorized representative, in writing of the following: (1) that biometric information is being collected or stored; (2) the specific purpose for the collection, storage, and use of the biometric information; and (3) the length of time for the collection, storage, and use of the biometric information. Furthermore, before collecting any biometric information, the private entity must receive a written release for the collection of the biometric information from the individual or the individual’s legally authorized representative after the above notice has been given.

The BIPA additionally requires the private entity to develop a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. That policy must be made available to the public. The collected information must be destroyed once “the initial purpose for collecting or obtaining such information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” 740 ILCS 14/15. In the pending cases, the private entity employers failed to obtain informed written consent prior to the collection, storage, and use of fingerprints and other biometric information. The employers also failed to publish any data retention and deletion policies for the biometric information.

The BIPA also restricts a private entity’s right to sell, lease, trade or otherwise profit from a person’s biometric identifier or biometric information. An employer who adheres to the requirements of the BIPA will be able to avoid class action litigation on this issue and maintain compliance with industry standards.

On Tuesday, November 7th from 2:00 to 6:30, Fox Rothschild and Kroll will be presenting the CLE: Staying One Step Ahead: Developments in Privacy and Data.  The CLE will take place at Fox Rothschild’s offices at 353 N. Clark Street in Chicago.  The speakers are Bill Dixon from Kroll, and Dan Farris and Mark McCreary from Fox Rothschild.  Cocktails and networking will follow the presentations.

If you are in the Chicago are on November 7th, I hope you will join us.  Click here to register for this free event.

Elizabeth Litten (Fox Rothschild Partner and HIPAA Privacy & Security Officer) and Mark McCreary (Fox Rothschild Partner and Chief Privacy Officer) will be presenting at the New Jersey Chapter of the Healthcare Financial Management Association on August 30, 2017, from 12:00-1:00 pm eastern time.  The presentation is titled: “Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy.”

This webinar is a comprehensive review of information privacy and data security training, with an emphasis on imparting practical know-how and a fluency with the terminology involving phishing, ransomware, malware and other common threats. We will cover best practices for sensitizing health care industry workers to these threats as part of their ongoing HIPAA compliance efforts and, more generally, for training workers in any business on the proper handling of sensitive data. We will cover the adoption of policies and a training regimen for the entire workforce, as well as tailored training for those in positions responsible for implementing security policies.

More information and a registration link can be found here.

Data privacy and securityFox Rothschild partner and firm Chief Privacy Officer Mark G. McCreary sees a trend: Law firms are increasingly recognizing that naming a lawyer to lead data security and privacy efforts is “an essential ingredient in good risk management.”

In an article for Law360 entitled “Notes From A Law Firm Chief Privacy Officer: CPO vs. CISO,” McCreary writes:

“To understand the role of the CPO — and why that person ought to be a lawyer — it’s important to distinguish the role they fill from that of the chief information security officer or CISO, who is typically a nonlawyer and leads the firm’s information technology department.”

We invite you to read his full article.

 

On June 14, Fox Partner Scott Vernick appeared on live-streaming financial news network Cheddar to provide background information on the European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018. To comply with the new privacy rules, companies that provide online services to residents of the EU will be required to obtain documented “hard consent” from customers before processing and storing their data. For many American companies, this is a significant shift.

Scott L. Vernick, Partner, Fox Rothschild LLPScott outlines the high stakes for companies affected by the GDPR, in the form of a fine for failure to comply of four percent of their worldwide annual turnover (i.e., gross revenue). He also discusses the potential impact on EU-based user experience, and notes that companies will need to account for changes to the GDPR allowed within specific member countries.

We invite you to watch Scott’s informative segment.