CURRENT MONTH (July 2021)
FTC’s 2020 Privacy and Data Security Report Highlights Facebook and Zoom
By Alex Haims, Cornell Law School
The Federal Trade Commission (“FTC”) recently released its 2020 Privacy and Data Security Update detailing its most significant cases from the past year. First, the United States District Court for the District of Columbia approved a $5 billion settlement between the FTC and Facebook, the largest ever for consumer protection violations. The settlement was based on allegations that Facebook permitted third-party applications to access user data even after users made their profiles private, and that Facebook falsely claimed to not disclose user data to third-party advertisers.
The FTC also reached a settlement agreement with Zoom over alleged misrepresentations regarding its security practices. The FTC alleged that Zoom falsely claimed to use high levels of encryption to protect user data and video recordings stored on Zoom’s cloud. The FTC further alleged that Zoom secretly installed software on Mac computers designed to circumvent Apple Safari’s malware protection. This allowed the Zoom application to automatically join a user to a meeting and activate webcams without the user’s knowledge. The settlement required Zoom to establish and implement a comprehensive new security program.
Lastly, the FTC ordered nine social media and video streaming services to file Special Reports explaining their practices for collecting consumer data and targeted advertising, and how these practices affect minors. The nine companies ordered were Amazon, Facebook, Reddit, Snap, Twitter, WhatsApp, ByteDance (operator of TikTok), YouTube, and Discord. The FTC said it plans to use these reports to inform its future policies on consumer protection and competition.
Million Dollar Decision – Court of Appeals Affirms Debated Interpretation of an Insurance Policy
By Kristina Miller, Temple University Beasley School of Law
On June 1, 2021, the U.S. Court of Appeals for the Eleventh Circuit affirmed a trial court’s decision finding an insurance carrier not liable for damages under the Telephone Consumer Protection Act of 1991 (“TCPA”). Horn et al. v. Liberty Ins. Underwriters, Inc., No. 19-12525 (11th Cir. June 1, 2021). The insured company, iCan, sent a multitude of unprompted texts and phone calls to consumers causing the affected customers to file a class action lawsuit alleging invasion of privacy.
iCan settled the lawsuit for $60.4 million and assigned its rights against its insurer, Liberty, to the plaintiffs. However, Liberty’s policy explicitly stated that it would not be liable for any loss “based upon, arising out of, or attributable to . . . [an] invasion of privacy . . . .” Less clear, however, was if that language should be read to exclude coverage for the plaintiffs’ claim.
The majority found that Liberty’s policy, when read collectively, would exclude coverage for the claim stated in the complaint. The court determined that the references to invasion of privacy contained in the complaint were enough to be considered “arising out of.” Conversely, the dissent argued that because the language of the policy was ambiguous, the court should rule in favor of the insured. The dissent explained that the policy could reasonably be interpreted to refer exclusively to common law torts; therefore, Liberty should be held liable because the plaintiffs did not assert the invasion-of-privacy claim as a common law tort.
European Commission Adopts New SCCs for Controller-Processor and Third Country Transfers
By Emily Jones, University of North Carolina School of Law
The European Commission recently adopted two sets of standard contractual clauses (SCCs), distinguishing between (1) use among data controllers and data processors, and (2) transferring personal data to third countries. Commission Decision 2021/915 of June 4, 2021, 2021 O.J. (L 199) 18; Commission Decision 2021/914 of June 4, 2021, 2021 O.J. (L 199) 131. The new SCCs consider the Court of Justice of the European Union’s (CJEU) judgement in C-311/18 Data Prot. Comm’r v. Facebook Ireland Ltd, Maximillian Schrems ECLI:EU:C:2020:59 (July 16, 2020) (Schrems II) and incorporate updated requirements under the General Data Protection Regulation (GDPR).
The Controller-Processor SCCs attempt to guarantee compliance with provisions of the GDPR and Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by EU institutions, bodies, offices, and agencies. The Controller-Processor SCCs also address the rights and responsibilities of parties regarding the security of processing, the use of sub-processors, sensitive data, documentation and compliance, international data transfers, data breaches, and non-compliance with clauses.
The Third Country Transfer SCCs: (1) include a single entry-point covering a comprehensive range of transfer scenarios, as opposed to separate sets of clauses; (2) provide distinct “modules” for transferring data from controller to controller, controller to processor, processor to processor, and processor to controller; and (3) offer guidance on compliance with the Schrems II judgement.
The European Commission is allowing a transition period of 18 months for data controllers and data processors to adopt the new sets of SCCs.
European Commission Adopts New SCCs for Controller-Processor and Third Country Transfers
Supreme Court Says Authorized Access for Improper Purposes Does Not Violate CFAA
By Maliheh Zare, American University Washington College of Law
The United States Supreme Court recently held that only an impermissible access of computer files could be prosecuted as a federal crime under the Computer Fraud and Abuse Act (“CFAA”) of 1986. Van Buren v. United States, 593 U.S. (2021). Under the CFAA, it is a federal crime “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Reversing the Eleventh Circuit, the Court rejected the government’s interpretation of this provision, which would criminalize improper uses of data obtained through authorized access of computer files.
Nathan Van Buren, a Georgia police sergeant, was convicted of fraud for accessing a police computer database and running a license-plate search to exchange the information for money offered by an FBI informant. Van Buren persuaded the Court that the CFAA’s provision did not extend to his actions because the CFAA addressed the risks imposed by outside computer hackers and by inside hackers who accessed off-limit files in a computer. Further, the statute merely rejected a defense by an inside hacker entitled to access the information in hard copy but not entitled to access it in computer files.
The Court’s decision limited the government’s prosecutorial power under the CFAA to the prosecution of unauthorized access of a computer or restricted computer files. So now, it will be up to Congress to amend the CFAA to criminalize accessing computer files for improper purposes if necessary.
Colorado Governor Voices Concerns over Enactment of Consumer Privacy Law
By Harrison Conaty, Temple University Beasley School of Law
On July 7, 2021, Colorado’s Governor Jared Polis signed the Colorado Privacy Act (the “Act”) into law. The Act requires businesses that process personal data or information to perform certain duties, such as providing transparency, purpose specification, and data minimization. The Act also grants Colorado consumers the ability to access, correct, delete, and opt out of the sale of their personal information. Colorado becomes the third state (after California and Virginia) to enact such a law.
Governor Polis released a signing statement expressing several concerns about the Act. His chief concern is ensuring Colorado’s competitiveness among the states as an incubator of new technologies and innovations. He noted that clean-up legislation conversations had already been undertaken, but urged the importance of striking an appropriate balance between consumer protection with fostering innovation and Colorado’s status as a top state to do business. Governor Polis expressed optimism that the Act will serve as a template for a nationwide standard passed by Congress in the future. The law takes effect July 31, 2023.
