Category Archives: Privacy Litigation

France adopts new regime for privacy class actions

Written by
A few weeks ago, France passed the Digital Republic Act which significantly enhances French citizens’ rights to privacy by offering new avenues to exercise rights and granting new powers to the French data protection authority. A recent amendment to the Data Protection Act, adopted November 18, 2016, goes a mile farther and introduces a new type of class action for privacy-related matters. Class actions were introduced into the French Consumer Code quite recently, in 2014. Although largely inspired by the U.S.-style class action, class actions in France have a slightly different scope: [...] Read more

ECJ Declares IP Addresses are Personal Data

Written by
Today, the European Court of Justice (ECJ) issued its long-awaited decision in Breyer v. Germany.  Breyer addresses the question of whether IP addresses are “personal data” for purposes of EU data protection law.  As is widely known, personal data is any information that would permit a particular individual to be identified, whether directly or in combination with other information.  Until the present, there has been widespread agreement that static IP addresses are personal data.  In contrast, there has been little agreement on whether dynamic IP addresses constitute personal data.  While [...] Read more

Supreme Court Denies Cert in Leading Case on Internet Tracking and Analytics

Written by
The Supreme Court recently declined to review In re Google Inc. Cookie Placement Consumer Privacy Litigation—a consolidated class action alleging that Google and third-party advertisers evaded web browser privacy settings, causing cookies to be placed on plaintiffs’ computers. 806 F.3d 125 (3d Cir. 2015), cert. denied sub nom. Gourley v. Google, Inc., 84 U.S.L.W. 3531 (U.S. Oct. 3, 2016) (No. 15-1141). Given the Court’s denial of review, significant questions remain regarding the applicability of the Wiretap Act to internet communications. The Third Circuit’s opinion offers guidance [...] Read more

Eighth Circuit Decision Interpreting Spokeo Shows Impact of Supreme Court Decision on Privacy Actions

Written by
In issuing its decision in Braitberg v. Charter Communications, the Eighth Circuit recently became the first federal appellate court to issue a published opinion interpreting Spokeo and, as predicted, shows that the Supreme Court’s ruling will have a significant impact on the viability of privacy-related claims.  In Braitberg, the plaintiff alleged that Charter indefinitely retained consumer data in violation of the Cable Communication Policy Act. The plaintiff did not allege any “actual injury;” instead, the plaintiff argued that a violation of the statute alone was sufficient to establish [...] Read more

Austrian Supreme Court Refers Schrems Consumer Class Action to ECJ

Written by
Just under a year ago today, the European Court of Justice (ECJ) issued its Schrems decision, which invalidated Safe Harbor and led to substantial developments in US-EU data-transfer mechanisms.  In parallel to the ECJ Safe Harbor litigation, Mr. Schrems has maintained two further legal proceedings in the EU: (1) a challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties; and (2) an attempt to certify an EU-wide consumer class action before the Austrian courts. Today, the Austrian Supreme Court took a major [...] Read more

German DPAs Will Not Be Able to Challenge Privacy Shield this Year

Written by
Even before the ECJ’s Schrems decision invalidated Safe Harbor, the European Commission had begun working closely with US negotiators to craft what has become the U.S.-EU Privacy Shield.  While EU privacy leaders have noted that Privacy Shield represents important improvements in data protection, some German DPAs have voiced a desire to challenge Privacy Shield in court.  This desire is not necessarily uniform; Germany has 16 state and one federal DPA, and their approaches to particular issues can diverge.  Nonetheless, as we reported last year, at least one German DPA has taken the position [...] Read more

Supreme Court Holds Congress Cannot Confer Automatic Standing By Statute

Written by
The Supreme Court has issued its much anticipated opinion in Spokeo Inc. v. Robins, No. 13-1339, 578 U.S. ___ (2016) (click here for a prior post detailing the procedural history and case background).  The Supreme Court granted certiarori in Spokeo to determine whether a bare violation of a statute – the Fair Credit Reporting Act (“FCRA”) – is sufficient to confer Article III standing, which requires that an injury be both (a) concrete and particularized and (b) actual or imminent.  Below the Ninth Circuit held that Robins’ allegation of an FCRA violation were sufficient, but the Supreme [...] Read more

Art. 29 Working Party Issues Formal Opinion Opposing Privacy Shield

Written by
Several hours after holding a closely-watched press conference we reported on yesterday, the Article 29 Working Party (“Art. 29 WP”) released its highly anticipated formal opinion on the adequacy of Privacy Shield. Background The European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU.  If adopted, this adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles.  The [...] Read more

EU Council Issues New Consolidated GDPR and Accelerates GDPR’s Legislative Timetable

Written by
Yesterday evening, the Council of Ministers issued a new consolidated version of the General Data Protection Regulation (GDPR).  This is the first “clean” version of the GDPR that (a) incorporates all revisions agreed upon from the time of the Commission’s original 2012 proposal to the December 2015 trilogue compromise text; and (b) numbers individual provisions as can be anticipated in the final adopted version of the GDPR.  The new consolidated text can be accessed here. The new GDPR text follows closely on the heels of the Council accelerating the timetable for the GDPR’s passage.  [...] Read more

Examining the Judicial Redress Act

Written by
The proposed Judicial Redress Act has recently been touted as a critical step towards developing a revised “Safe Harbor 2.0" framework. (See our prior posts on Safe Harbor here and here.) This post summarizes the essential provisions of the bill as passed by the House of Representatives and currently pending before the U.S. Senate. As currently drafted, the Judicial Redress Act extends privacy protections and remedies available under the federal Privacy Act to qualifying non-U.S. individuals. The Privacy Act, enacted in 1974, provides individuals with limited rights to review, copy, and request [...] Read more