Litigation

Privacy & Data Security Team Launches Unique GDPR Tracker Website

Written by

“To Harmonize or Not To Harmonize: That Is the Question.” With the the GDPR fast approaching on May 25, 2018, European Member States are getting ready with the implementation of national legislation. Although the GDPR is a regulation, and directly applicable in all Member States, it has left room for country-specific legislation in several different regards (such as the processing of employee data or individual rights restrictions). Most Member States still only have draft legislation at this point, but the expectation (or at least intention) is that each country will have adopted legislation [...] Read more

Lenovo Wins Second Motion to Dismiss in Adware Class Action

Written by

By Jay Repko A California district court recently dismissed—for the second time—consumer claims that technology giant Lenovo Inc. violated New York’s Deceptive Acts and Practices Statute by selling laptops with preinstalled VisualDiscovery software that allegedly invades users’ privacy and exposes users to security breaches.  In reaching this decision, Judge Haywood S. Gilliam, Jr. concluded that dismissal was warranted for two reasons: (i) the plaintiffs lacked standing and (ii) the plaintiffs failed to adequately allege actual damages. By its very terms, New York’s Deceptive [...] Read more

ECJ Rules against Schrems Class Action, Sets Up Jurisdictional Questions for GDPR Class Actions

Written by

In late 2015, the European Court of Justice (ECJ) issued its initial Schrems decision, invalidating the EU/US Safe Harbor and leading to important developments in the rules for transferring personal data from the EU to the US.  Since that decision, Mr. Schrems has pursued two further legal proceedings in the EU. The first involves Mr. Schrems’ challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties.  In the trial,  Alston & Bird Special Counsel Peter Swire testified as an expert on US national [...] Read more

Data Protection Litigation to Become a New Reality in Belgium

Written by

On November 16, 2017 the Belgian Senate adopted an “Act on the Establishment of the Data Protection Authority” (the “Act”). Following Austria, Germany, and the UK, Belgium is the fourth EU Member State to pass a domestic statute implementing the General Data Protection Regulation 2016/679 (“GDPR”) prior to its effective date of 25 May 2018. The new Belgian Act sets forth the structure and legal organization of the Data Protection Authority (“DPA”), which will serve as the successor of the current Belgian Privacy Commission. More importantly, the Act significantly broadens the DPA’s [...] Read more

Professor Peter Swire Publishes his Expert Testimony from Schrems 2.0

Written by

Peter Swire, Elizabeth and Thomas Holder Chair at the Georgia Tech Scheller College of Business and senior counsel at Alston & Bird, has made public his expert testimony from the landmark Irish High Court Case Data Protection Commissioner v. Facebook Ireland Limited & Maximillian Schrems. Under the Irish Court’s rules, Swire was asked to provide an independent opinion on U.S. surveillance law to assist the Court in its decision. Swire’s testimony highlights U.S. systemic remedies, U.S. individual remedies, Foreign Intelligence Surveillance Court oversight, and the broader implications [...] Read more

Eighth Circuit Affirms Dismissal of Scottrade Data Breach Suit

Written by

The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013.  The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information (“PII”) of its customers. The Eighth Circuit first considered whether the plaintiffs had adequately alleged standing.  [...] Read more

Northern District of Illinois Dismisses Barnes & Noble Data Breach Lawsuit

Written by

Earlier this month, the United States District Court for the Northern District of Illinois entered an order dismissing with prejudice a putative class action concerning a security breach affecting PIN pad devices at numerous Barnes & Noble locations.  The lawsuit, In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617 (N.D. Ill.), was brought by consumers who had used credit and debit cards at Barnes & Noble during the time period of the breach. The operative complaint pleaded several causes of action against Barnes & Noble, including breach of implied contract and the violation [...] Read more

France adopts new regime for privacy class actions

Written by

A few weeks ago, France passed the Digital Republic Act which significantly enhances French citizens’ rights to privacy by offering new avenues to exercise rights and granting new powers to the French data protection authority. A recent amendment to the Data Protection Act, adopted November 18, 2016, goes a mile farther and introduces a new type of class action for privacy-related matters. Class actions were introduced into the French Consumer Code quite recently, in 2014. Although largely inspired by the U.S.-style class action, class actions in France have a slightly different scope: [...] Read more

Supreme Court Holds Congress Cannot Confer Automatic Standing By Statute

Written by

The Supreme Court has issued its much anticipated opinion in Spokeo Inc. v. Robins, No. 13-1339, 578 U.S. ___ (2016) (click here for a prior post detailing the procedural history and case background).  The Supreme Court granted certiarori in Spokeo to determine whether a bare violation of a statute – the Fair Credit Reporting Act (“FCRA”) – is sufficient to confer Article III standing, which requires that an injury be both (a) concrete and particularized and (b) actual or imminent.  Below the Ninth Circuit held that Robins’ allegation of an FCRA violation were sufficient, but the Supreme [...] Read more

FTC and Wyndham Settle Data Security Allegations

Written by

On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corp., Wyndham Hotel Group LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management, Inc. (“Wyndham”) had agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of consumers to hackers in three separate data breaches between April 2008 and January 2010.  Wyndham initially challenged the FTC’s authority to regulate private companies’ cybersecurity practices under Section 5 of the FTC Act’s unfairness prong which resulted in litigation [...] Read more