Category Archives: Privacy Litigation

Challenge to Privacy Shield Dismissed by EU General Court

Written by
In October of last year, we reported that digital rights advocacy group Digital Rights Ireland (“DRI”) had brought an action to annul the EU-U.S. Privacy Shield.  DRI filed its challenge before the General Court of the European Union, which is the court of first instance in the EU system with exclusive jurisdiction over challenges to the validity of EU legal acts.  Last week, the General Court dismissed DRI’s challenge, meaning that Privacy Shield remains valid and in force. DRI based its Privacy Shield suit on Article 263 of the Treaty on the Functioning of the European Union (TFEU), [...] Read more

An English-Language Primer on Germany’s GDPR Implementation Statute: Part 5 of 5

Written by
Over the past year, the German government has been working on legislation to implement the EU’s General Data Protection Regulation (GDPR).  On July 6, 2017, Germany did so by passing a statute titled the Data Protection Amendments and Implementation Act. The Act repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and replaces it with an entirely new BDSG, aptly referred to as the “BDSG-New.” Germany becomes the first EU Member State to pass a GDPR implementation statute. Given Germany’s reputation as one of, if not the, most serious privacy jurisdiction [...] Read more

Professor Peter Swire Publishes his Expert Testimony from Schrems 2.0

Written by
Peter Swire, Elizabeth and Thomas Holder Chair at the Georgia Tech Scheller College of Business and senior counsel at Alston & Bird, has made public his expert testimony from the landmark Irish High Court Case Data Protection Commissioner v. Facebook Ireland Limited & Maximillian Schrems. Under the Irish Court’s rules, Swire was asked to provide an independent opinion on U.S. surveillance law to assist the Court in its decision. Swire’s testimony highlights U.S. systemic remedies, U.S. individual remedies, Foreign Intelligence Surveillance Court oversight, and the broader implications [...] Read more

Eighth Circuit Affirms Dismissal of Scottrade Data Breach Suit

Written by
The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013.  The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information (“PII”) of its customers. The Eighth Circuit first considered whether the plaintiffs had adequately alleged standing.  [...] Read more

Anthem Settles Data Breach Litigation for Record-Setting $115M

Written by
Health insurance giant Anthem, Inc. agreed to the largest data breach settlement to-date last week, ending multi-district consumer litigation over a 2015 data breach for $115 million.  The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information (“PII”) and protected health information (“PHI”) of nearly 80 million people.  The stolen information included the names of current and former clients, dates of birth, addresses, social security numbers, and other medical information. The settlement [...] Read more

Northern District of Illinois Dismisses Barnes & Noble Data Breach Lawsuit

Written by
Earlier this month, the United States District Court for the Northern District of Illinois entered an order dismissing with prejudice a putative class action concerning a security breach affecting PIN pad devices at numerous Barnes & Noble locations.  The lawsuit, In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617 (N.D. Ill.), was brought by consumers who had used credit and debit cards at Barnes & Noble during the time period of the breach. The operative complaint pleaded several causes of action against Barnes & Noble, including breach of implied contract and the violation [...] Read more

Data Monetization and State Privacy Laws

Written by
On June 8, magazine publisher Trusted Media Brands, Inc. settled a class action lawsuit for $8.2 million after purportedly disclosing the personal information and magazine choices of customers to third parties.  The lawsuit, Taylor v. Trusted Media Brands, Inc., No. 7:16-cv-01812 (S.D.N.Y. June 8, 2017), alleged that the publisher’s actions violated Michigan’s Video Rental Privacy Act (VRPA), demonstrating the sometimes hidden legal risks of data monetization. VRPA, inspired by the federal Video Privacy Protection Act, was passed in 1988 and applies to the purchase, rental, or borrowing [...] Read more

France adopts new regime for privacy class actions

Written by
A few weeks ago, France passed the Digital Republic Act which significantly enhances French citizens’ rights to privacy by offering new avenues to exercise rights and granting new powers to the French data protection authority. A recent amendment to the Data Protection Act, adopted November 18, 2016, goes a mile farther and introduces a new type of class action for privacy-related matters. Class actions were introduced into the French Consumer Code quite recently, in 2014. Although largely inspired by the U.S.-style class action, class actions in France have a slightly different scope: [...] Read more

ECJ Declares IP Addresses are Personal Data

Written by
Today, the European Court of Justice (ECJ) issued its long-awaited decision in Breyer v. Germany.  Breyer addresses the question of whether IP addresses are “personal data” for purposes of EU data protection law.  As is widely known, personal data is any information that would permit a particular individual to be identified, whether directly or in combination with other information.  Until the present, there has been widespread agreement that static IP addresses are personal data.  In contrast, there has been little agreement on whether dynamic IP addresses constitute personal data.  While [...] Read more

Supreme Court Denies Cert in Leading Case on Internet Tracking and Analytics

Written by
The Supreme Court recently declined to review In re Google Inc. Cookie Placement Consumer Privacy Litigation—a consolidated class action alleging that Google and third-party advertisers evaded web browser privacy settings, causing cookies to be placed on plaintiffs’ computers. 806 F.3d 125 (3d Cir. 2015), cert. denied sub nom. Gourley v. Google, Inc., 84 U.S.L.W. 3531 (U.S. Oct. 3, 2016) (No. 15-1141). Given the Court’s denial of review, significant questions remain regarding the applicability of the Wiretap Act to internet communications. The Third Circuit’s opinion offers guidance [...] Read more