The General Data Protection Regulation (“GDPR”): A European Law With Global Reach

By Joshua L. Young

Today the General Data Protection Regulation (“GDPR”) replaces Data Protection Directive 95/46/EC as the European Union’s (“EU”) primary law regulating how companies protect EU citizens’ personal data. The GDPR is intended to harmonize privacy laws across Europe and bring about operational changes with regard to how organizations collect, store, process and think about their customers’ personal information. 

The GDPR applies to organizations located within the EU as well as organizations located outside the EU that offer goods or services to EU data subjects or process the personal data of EU data subjects. This includes U.S. companies that have customers in the EU, market products and services in the EU, or process EU citizens’ personal data. Article 4 of the GDPR defines “personal data” as

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Online identifiers include “traces” left by a data subject’s “devices, applications, tools, and protocols,” including IP addresses, cookies, MAC addresses, and RFID tags, which when combined with other identifying information can identify a given data subject.

This definition of personal data is significantly broader than what is considered personal data under U.S. state and federal laws. California’s data breach law, for example, defines personal information as (1) An individual’s first name or first initial and last name in combination with any one or more of the following: Social security number; Driver’s license number or California identification card number; Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; Medical information; Health insurance information; Information or data collected through the use or operation of an automated license plate recognition system; or (2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account. CA Civ. Code § 1798.82(h). California’s definition does not include the range of online identifiers encompassed by the GDPR or the open-ended “factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

The GDPR applies to both data controllers and data processors. This is a departure from the previous EU regulation governing data privacy, the 1995 Data Protection Directive, which only applied to data controllers. Now data processors have direct statutory obligations and share joint and several liability with data controllers for damages. The GDPR describes data controllers as entities that decide the purpose and manner that personal data is used or will be used. A data processor is a person or group that processes the data on behalf of the controller. The act of processing consists of obtaining, recording, adapting or holding personal data.

Notable requirements of the GDPR include:

·       Privacy by Design and by Default – Data protection considerations must factor into the design and development of products, processes or services that will process personal data. When a system or service gives consumers choices regarding the amount of personal data she/he shares, the most privacy friendly choices should be the default setting.

·       Stronger Consent Requirements – In most cases a data subject’s consent is required before the subject’s data can be processed. Requests for consent must be intelligible, accessible, and articulate the purpose of the data processing. The data subject’s consent must be clearly given and specifically directed to purpose of the data processing articulated at the time consent was requested. It must be as easy for the data subject to withdraw consent as it is to grant it.

·       Right to Access – Data subjects have the right to ask a data controller to confirm whether it is processing any of their personal data, where and for what purpose. Data subjects can also request an electronic copy of any personal data a data controller has stored about them free of charge.

·       Data Portability – Data subjects have the right to receive, in a “commonly used and machine readable format,” any personal data a controller possesses concerning them. The data subject is then free to transfer this data to a different controller.

·       Data Erasure (Right to be Forgotten) – Under certain conditions, a data subject can request that a data controller erase and cease dissemination of her/his personal data, and even make third party data processors halt processing of their data.

·       Mandatory Breach Notification – Where a data breach is likely to “result in a risk for the rights and freedoms of individuals,” notice must be given within 72 hours after the organization learns of the breach.  Data processors must notify data controllers “without undue delay,” after learning of a breach.

·       Data Protection Officers – Companies that regularly process sensitive data on a large scale or regularly and systemically monitor individuals on a large scale must appoint a Data Privacy Officer (“DPO”).  For example, a DPO would be mandatory for hospital or accounting firm processing large sets of sensitive data. A DPO would likely not be necessary for a local doctor’s office or accountant that processes the data of its patients or clients.

Organizations will not be able to satisfy these requirements with superficial or pro forma measures. The GDPR is intended to force organizations to encode privacy protections into their DNA, such that privacy protections become an inseparable component of daily operations. Non-compliant organizations face steep fines (maxing out at roughly $25 million dollars or 4% of global annual turnover, whichever is higher), though it remains to be seen how aggressively regulators will enforce compliance early on. Each EU member state is responsible for setting up a Data Protection Authority (“DPA”) tasked with monitoring whether individual data subjects can exercise their rights and evaluating whether organizations are processing personal data in compliance with the GDPR. The DPA has the power to investigate suspected violations and conduct data protection audits. The DPA may request access to a data controller or processor’s premises, processing equipment, customer data flow, and data protection procedures.

Organizations will be best served if they view the GDPR not as a burden, but an overdue opportunity to overhaul treatment of customer data. Adopting procedures to comply with the GDPR will help organizations prepare for future privacy law developments in jurisdictions outside the EU. In California, for example, a currently proposed ballot measure would incorporate some of the protections mandated by the GDPR. The California Consumer Privacy Act of 2018 would, among other things, give Californians the right to know what personal information a business has collected about them and to tell the business not to sell the information, prohibit businesses from discriminating against consumers who exercise these rights, and strengthen enforcement measures for holding business accountable for safeguarding the information. While there is no guarantee the California Consumer Privacy Act of 2018 will ever become law, it’s a safe bet that it won’t be the last effort to import GDPR protections into domestic legislation.

California businesses of all types and sizes would be well advised to reevaluate, and if necessary, reform their data privacy practices with an eye towards the GDPR. Even if a company does not fall under the GDPR today, using the GDPR to inspire and guide data protection reforms will allow the company to better protect customer privacy and better position itself to address rapidly evolving data privacy laws.

Ninth Circuit Sends Cab Customers Home, Finds No Article III Harm From Ride Receipts With Extra Credit Card Digit

By Joshua L. Young

Recently, in an unpublished opinion, the Ninth Circuit affirmed a District of Nevada court’s finding that a class of taxi cab customers lacked standing to bring claims under the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). Noble v. Nev. Checker Cab Corp., No. 16-16573, 2018 U.S. App. LEXIS 5963, at *4-5 (9th Cir. Mar. 9, 2018). Noble is the latest in a line of Ninth Circuit cases addressing the “injury in fact” requirement of Article III standing in the context of data breach and privacy law violations. Taken together, these recent cases indicate that courts are requiring plaintiffs to allege a specific harm, or specific risk of harm, to sufficiently plead standing. Without an allegation that sensitive information has made it into the hands of someone likely to use it to commit identity fraud, courts have found that the plaintiffs have not sufficiently alleged the “injury in fact” necessary to standing.

Under FACTA, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681c(g). The plaintiffs alleged that certain Nevada cab companies had violated FACTA by printing receipts containing the first digit and last four digits of their customer’s credit cards. The district court granted the defendants’ motion to dismiss on the basis that the plaintiffs did not have standing and not sufficiently alleged a violation of FACTA. Noble v. Nev. Checker Cab Corp., 2016 U.S. Dist. LEXIS 110799, at *10 (D. Nev. Aug. 19, 2016). On appeal, the Ninth Circuit held that the plaintiffs-appellants had sufficiently alleged a violation of FACTA, but had not alleged a sufficiently concrete injury to confer Article III standing. Specifically, the appellants had not alleged that “anyone else had received or would receive a copy of their credit card receipts” or that information printed on the receipts “involve[d] the sort of revelation of information that Congress determined could lead to identity theft.” Id. at *4.

The Ninth Circuit’s analysis in Noble was guided by its recent decision in Bassett v. ABM Parking Servs., 2018 U.S. App. LEXIS 4097 (Feb. 21, 2018). In Bassett, the Ninth Circuit held the defendant violated FACTA when it printed credit card expiration dates on parking garage receipts, but the violation alone did not create a concrete injury necessary for Article III standing. “Bassett did not allege that another copy of the receipt existed, that his receipt was lost or stolen, that he was the victim of identity theft, or even that another person apart from his lawyers viewed the receipt.” Bassett, 2018 U.S. App. LEXIS 4097, at *16 (citations omitted).  (citing Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724, 727 (7th Cir. 2016) (affirming dismissal of claims alleging violation of FACTA expiration date requirement because “without a showing of injury apart from the statutory violation, the failure to truncate a credit card’s expiration date is insufficient to confer Article III standing.”)). 

In Bassett, the Ninth Circuit relied on the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), as well as two post-Spokeo circuit cases in which consumer class actions alleging violations of the FACTA’s redaction requirements were dismissed for lack of standing. See Crupar-Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76 (2d Cir. 2017) and Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724 (7th Cir. 2016). In Spokeo, the plaintiff claimed that Spokeo, Inc., a consumer reporting agency, had willfully failed to comply with the Fair Credit Reporting Act of 1970 (“FCRA”). The FCRA mandates that consumer reporting agencies “follow reasonable procedures to assure maximum possible accuracy of” consumer reports, 15 U. S. C. §1681e(b), and imposes liability on “[a]ny person who willfully fails to comply with any requirement [of the Act] with respect to any” individual, §1681n(a). Spokeo, Inc. operates a “‘people search engine,’ which searches a wide spectrum of databases to gather and provide personal information about individuals to a variety of users, including employers wanting to evaluate prospective employees.” Spokeo, Inc., 136 S. Ct. at 1543. After the plaintiff discovered that his Spokeo-generated profile was inaccurate, he filed a class action complaint alleging that Spokeo had willfully failed to comply with the requirement that it follow reasonable procedures to assure the maximum possible accuracy of its reports. Spokeo, 136 S. Ct. at 1546. The Supreme Court reversed the Ninth Circuit’s holding that the plaintiff had adequately alleged an injury in fact and held that “Article III standing requires a concrete injury even in the context of a statutory violation . . . [Plaintiffs] cannot satisfy the demands of Article III by alleging a bare procedural violation.” 136 S. Ct. 1540, 1549-50 (2016).

 Noble, Bassett, and post-Spokeo decisions in other circuits show that courts are unlikely to find a concrete harm where a plaintiff fails to allege that a bad actor is in possession of data that could lead to identity theft or fraud. In Noble and Bassett, the Ninth Circuit emphasized the fact that the allegedly unlawful receipts never fell into the hands of bad actors. By contrast, in Stevens v. Zappos.com, Inc., 2018 U.S. App. LEXIS 5841, (9th Cir. Mar. 8, 2018) and Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), which I wrote about here, the Ninth Circuit found concrete harms based on the plaintiffs’ allegations that there was an “imminent” risk of future identity theft or fraud. In Stevens, thieves stole an unsecured laptop, and in Krottner, hackers breached a server.

Of additional importance is the extent to which the stolen information could lead to identity theft. The data stolen in Stevens and Krottner included information that could foreseeably lead to identity theft, and, for a class of plaintiffs in Stevens, did lead to identity theft. See Stevens, 2018 U.S. App. LEXIS 5841, at *2 (the hacked information included the “names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers.”); Krottner, 628 F.3d at 1140 (the stolen information included “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.”).

By contrast, in Noble, the Ninth Circuit explained that “the alleged FACTA violation here does not involve the sort of revelation of information that Congress determined could lead to identity theft.” Noble, at *4. Specifically, “the first digit of a credit card number merely identifies the brand of the card, and Congress has not prohibited printing the identity of the credit card issuer along with the last five digits of the credit card number.” Noble, at *4-5.

Ninth Circuit Sides With Plaintiffs Claiming Compensable Harm From Data Breaches

Joshua L. Young

Last week, the Ninth Circuit held that the victims of a 2012 data breach of Zappos.com (“Zappos”) faced a “substantial risk” of future identity theft that was sufficient to meet the injury in fact requirement for Article III standing.  Stevens v. Zappos.com, Inc. (In re Zappos.com, Inc., Customer Data Sec. Breach Litig.), 2018 U.S. App. LEXIS 5841 (Mar. 8, 2018).

Sometime before January 16, 2012, hackers breached Zappos’s servers and allegedly stole more than 24 million customers’ names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.  Following the breach, customers around the country filed class action lawsuits against Zappos, alleging negligence, breach of contract, unjust enrichment and breach of the covenant of good faith and fair dealing, as well as violations of various states’ deceptive trade practices, consumer protection acts, and data breach notification statutes.  In June 2012, six of the class action suits were consolidated in the U.S. District Court for the District of Nevada.  Some plaintiffs had alleged that they had already suffered financial losses from identity theft resulting from the breach.  Other plaintiffs had alleged that although they had not yet suffered financial losses from identity theft, there was an “imminent” risk they would suffer such harms in the future.  Zappos moved to dismiss the plaintiffs’ claims for lack of Article III standing. 

In May 2016, the district court granted in part and denied in part Zappos’s motion to dismiss the plaintiffs’ Third Amended Consolidated Complaint.  The district court found that “the first group of plaintiffs had Article III standing because they alleged ‘that actual fraud occurred as a direct result of the breach,’” but the second group plaintiffs lacked standing because they “‘failed to allege instances of actual identity theft or fraud.’”  Id. at *5-6.  The plaintiffs appealed.

The Ninth Circuit focused its analysis on a case the district court did not consider, Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).  “In Krottner, a thief stole a laptop containing ‘the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees.’”  Id. at *6-7 (citing Krottner, 628 F.3d at 1140).  The plaintiffs in Krottner successfully alleged an Article III harm because the “increased risk of future identity theft” amounted to “‘a credible threat of real and immediate harm’ because the laptop with their [personally identifiable information] had been stolen.’”  Id. at *7 (citing Krottner, 628 F.3d at 1143). 

Zappos argued that Krottner fell short of the standards set forth in Clapper v. Amnesty International USA, which held that a “threatened injury must be certainly impending to constitute injury in fact.”  568 U.S. 398, 401 (2013) (citations omitted).  In Clapper, a group of “‘attorneys and human rights, labor, legal, and media organizations whose work allegedly require[d] them to engage in sensitive and sometimes privileged telephone and e-mail communications with . . . individuals located abroad,’” challenged surveillance procedures authorized by the Foreign Intelligence Surveillance Act of 1978 (“FISA”).  Id. at *8 (citing Clapper, 568 U.S. at 401, 406).  The plaintiffs argued they had standing under Article III because there was an objectively reasonable likelihood that the government would use FISA to acquire their communications in the future.  Clapper, 568 U.S. at 401.  The Supreme Court found that the plaintiffs’ “theory of standing, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.”  Clapper, 568 U.S. at 410 (citations omitted).

The Ninth Circuit rejected Zappos’ argument that Krottner conflicted with Clapper.

Unlike in Clapper, the plaintiffs’ alleged injury in Krottner did not require a speculative multi-link chain of inferences. See Krottner, 628 F.3d at 1143.  The Krottner laptop thief had all the information he needed to open accounts or spend money in the plaintiffs’ names—actions that Krottner collectively treats as “identity theft.” Id. at 1142.  Moreover, Clapper’s standing analysis was “especially rigorous” because the case arose in a sensitive national security context involving intelligence gathering and foreign affairs, and because the plaintiffs were asking the courts to declare actions of the executive and legislative branches unconstitutional. Clapper, 568 U.S. at 408 (quoting Raines v. Byrd, 521 U.S. 811, 819 (1997)).  Krottner presented no such national security or separation of powers concerns.

Id. at *10.  The Ninth Circuit then pointed out other cases where the Supreme Court had found that a “substantial risk” of injury satisfied Article III, including Susan B. Anthony List v. Driehaus.  In that case, the Supreme Court stated that “[a]n allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk that the harm will occur.’”  Id. at 10-11 (citing Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Clapper, 568 U.S. at 414 & n.5)).

Having determined that Krottner did not conflict with Clapper, the Ninth Circuit explained that in Krottner “the sensitivity of the personal information, combined with its theft, led us to conclude that the plaintiffs had adequately alleged an injury in fact supporting standing.”  Stevens, 2018 U.S. App. LEXIS 5841 at *11 (citing Krottner, 628 F.3d at 1143).  The Ninth Circuit then found that the data stolen from Zappos’s servers was sensitive enough to give “hackers the means to commit fraud or identity theft” and was thus similar enough the data stolen in Krottner to support a finding that the plaintiffs who had not yet experienced fraud as a result of the breach had adequately alleged an injury in fact.  Id. at 11-12.  The court further noted that the existence of a different class of plaintiffs that allegedly had already experienced fraud as a result of the breach, “undermines Zappos’s assertion that the data stolen in the breach cannot be used for fraud or identity theft.”  Id. at *13.  The Ninth Circuit remanded the case to the district court for further proceedings.

Stevens is one of the most recent Ninth Circuit cases to address standing in the context of data breach and privacy violations.  While standing remains a substantial hurdle for data breach plaintiffs, Stevens and Krottner demonstrate that when a thief or hacker acquires information sensitive enough to perpetrate future identity fraud, the risk of harm is likely substantial enough to satisfy the injury in fact requirement for Article III standing.

Federal Circuit Unwinds PTAB Decision, Rejects Secondary Reference As Not Analogous Art

By: Gene Cherng 

In a rare occurrence, the Federal Circuit overturned an invalidity determination on the basis that one of the references was not in a field of art “analogous” to the art of the patent at issue. Smith & Nephew, Inc. v. Hologic, Inc., No. 2017-1008 (Fed. Cir. January 30, 2018) (nonprecedential).

The patent at issue was directed to a surgical instrument “with a cutting member for semi-rigid tissue” capable of simultaneous rotation, translation, and reciprocation to enable it to cut into semi-rigid tissue without bouncing away. The obviousness rejection was based on a combination of three references – one of which (“Galloway”) was directed at an apparatus with a reciprocating apparatus used in the production and winding of glass fibers.

The PTAB determined that the challenged claims and Galloway both were relevant to solving the technical problem of converting “rotational motion into simultaneous rotational, translational, and reciprocal motions,” and found that a person of ordinary skill in the art would have found Galloway “reasonably pertinent to the technical problem with which the inventor was involved.” Hologic, Inc. v. Smith & Nephew, Inc., No. 2015-007845 (P.T.A.B. Jan. 20, 2016) (citations omitted).

Not so, held the Federal Circuit. Citing to In re Clay, 966 F.2d 656, 658 (Fed. Cir. 1992), the Federal Circuit reiterated that “[a] reference is reasonably pertinent if, even though it may be in a different field from that of the inventor’s endeavor, it is one which, because of the matter with which it deals, logically would have commended itself to an inventor’s attention in considering his problem.”  The court held that PTAB erred in reducing the problem solved by invention in the challenged claim to a simple mechanical problem:

The inventors of the ’459 patent focused on solving the difficulty in cutting large amounts of semi-rigid tissue. Galloway, in contrast, is directed to winding glass fiber. Even though both ended up with similar mechanical solutions, it is beyond a stretch to say that Galloway ‘logically would have commended itself to an inventor’s attention in considering his problem.’  [In re Clay, 966 F.2d] at 659.

Smith & Nephew, slip. op. at 11.

Unfortunately, the Federal Circuit’s opinion was not all good news for the patentee. Other than the three claims rejected based on Galloway that were reversed, the invalidity determinations as to the remaining nineteen challenged claims were affirmed.  Two of the three claim rejections that were reversed were remanded back to the Board to reconsider the patentability of these “surviving” claims under other rejections.

Notwithstanding the outcome for the patentee, Smith & Nephew provides an analytical framework for litigants to consider in connection with evaluating the value of prior art that is far afield from the art relevant to the patent in suit.  Because whether a reference is analogous art is a question of fact, In re Clay, 966 F.2d at 658, Smith & Nephew also suggests a potential role for expert testimony or other factual evidence to support (or refute) a claim that a particular reference is in an “analogous art.”