Data Privacy
Facebook and FTC Agree to Settle Privacy Probe Claims
By Tom Kierner, Womble Bond Dickinson (US) LLP
On July 24, 2019, Facebook executed a settlement with the Federal Trade Commission (“FTC”) to pay a $5 billion penalty and accept new privacy obligations and tools for the FTC to monitor compliance. Depending on which FTC Commissioner you listen to, the settlement either (i) far exceeds what could be achieved in litigation or (ii) falls far short of what the FTC could reasonably seek merely from the forfeiture of Facebook’s unjust gains.
If approved by the court, the settlement will resolve claims that Facebook violated a 2012 FTC Consent Order (the “2012 Order”) as well as new claims of unfair and deceptive acts or practices. That 2012 Order, among other things, prohibited Facebook from misrepresenting the extent to which Facebook makes user information accessible to third parties.
In its 2019 complaint against Facebook, the FTC alleged several instances where Facebook failed to comply with its 2012 Order obligations. For instance, in 2014, Facebook CEO Mark Zuckerberg publicly announced that Facebook would stop allowing third-party developers to collect data about users’ Facebook friends. However, Facebook had secret arrangements with dozens of developers that allowed those developers to continue to harvest that data until June 2018.
In addition to the eye-popping monetary penalty, Facebook has agreed to several adjustments to its conduct, including significant changes to its corporate governance that aims to limit Mark Zuckerberg’s authority over privacy decisions and increase accountability and transparency.
Vermont Recognizes Private Right of Action for Disclosure of Medical Information
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The Vermont Supreme Court has recognized that the common-law provides a private right of action for damages where medical personnel disclose information to a third party without justification. In Lawson v. Halpern-Reiss, No. 2018 – 157 (Vt. May 17, 2019), the plaintiff sued the Central Vermont Medical Center after a nurse informed a police officer that she was intoxicated, had driven herself to the hospital and was about to drive herself home. Plaintiff was arrested but charges against her were later dropped. The Supreme Court affirmed the trial court in finding that the common law recognized a private right of action based on the unjustified disclosure of information obtained by a medical provider during treatment.
The court found that state law already endorsed a duty of confidentiality between medical providers and patients so recognizing the common law remedy upheld the expectations of the providers, patients and the public. Because the legislature essentially codified the requirements of the federal Health Information Portability and Accountability Act law into state law, the HIPAA statute and regulations inform the standard of care and exceptions with respect to the duty of confidentiality. HIPAA provides an exception allowing disclosure of information to avert a serious threat to health or safety. The court held that the plaintiff failed to rebut the presumption of good faith that the disclosure was necessary to protect the safety of plaintiff and the public. Accordingly, the court affirmed summary judgment in favor of the medical center.
Digital Currency
Congress Holds Hearings on Libra, Facebook’s Proposed Digital Currency
By Stephen T. Middlebrook, Womble Bond Dickinson
On July 16, 2019, the Senate Banking Committee held a hearing on data privacy and other concerns raised by Facebook’s proposed digital currency known as Libra. The sole witness was David Marcus, Head of Calibra, a Facebook subsidiary which will provide financial services on the Libra blockchain. Mr Marcus also testified the following day at hearings convened by the House Financial Services Committee. At the House hearings, Mr. Marcus was joined by law professors Chris Brummer and Katharina Pistor as well as former Treasury official and current MIT professor Gary Gensler. At those hearings, House Democrats unveiled a draft of the Keep Big Tech Out of Finance Act which would prohibit Facebook from issuing a digital asset or virtual currency.
DOJ Charges Head of Bitcoin Escrow Company with Commodities Fraud
By Stephen T. Middlebrook, Womble Bond Dickinson
The Department of Justice has charged Jon Barry Thompson, principal of Volatnis Escrow Platform, with commodities fraud and wire fraud. The government alleges Thompson convinced two companies to wire him millions of dollars which he was to hold in escrow to facilitate the purchase of bitcoin. No cryptocurrency was actually purchased or transferred and Thompson made off with the money.
FEC Approves Distribution of Tokens to Campaign Volunteers
By Stephen T. Middlebrook, Womble Bond Dickinson
The Federal Election Commission issued an advisory opinion approving a political campaign’s distribution of digitial blockchain tokens with no monetary value to campaign volunteers as an incentive to engage in volunteer activities. Volunteers received the tokens for registering to vote, hosting events and doing other things to support the campaign. The tokens cannot be bought or sold or used to obtain goods or services. At the end of the campaign, the three volunteers with the most tokens will receive prizes and participants may keep their tokens as souvenirs. The FEC concluded the tokens did not constitute compensation to volunteers which would be prohibited under applicable law but rather were indistinguishable from traditional forms of campaign souvenirs which are allowed.
E-Commerce
CDA Immunizes ISPs for Publishing False Info Provided by Third Parties
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. District Court for the District of Columbia has recently held that internet service providers are protected by the Communications Decency Act against claims for publishing content provided by third parties. In Marshall’s Locksmith Service, Inc., v. Google, LLC, No. 18 – 7018 (D.C. June 7, 2019), fourteen locksmith businesses sued Google, Microsoft, and Yahoo! challenging their search engine practices that allegedly permitted “scam” locksmiths to appear as local businesses to induce legitimate businesses to pay for advertised search results to combat the false information put forth by the scam companies. The plaintiffs argued the search engines published content that boosted the scam locksmith search results, knowing that some of it was false.
The District Court granted the defendants’ motion to dismiss all counts other than breach-of-contract as barred under the Communications Decency Act, which insulates online providers from liability for third party content they publish. The Court of Appeals affirmed, finding the challenged content published by defendants was protected under the Act. The Court noted that immunity under the Act “is not limitless” and would not protect information fabricated by the search engines based on the content provided to them.
International Law
British Airways: Large GDPR Fines Now a Reality in the UK
By Valerie Surgenor, MacRoberts
On July 8, 2019, the Information Commissioner’s Office (the ICO) issued notice of its intention to serve a penalty notice (a fine) on British Airways (BA). The ICO intend to fine BA £183.39 million following last year’s personal data breach where “a variety of information was compromised by poor security arrangements” led to log-in, payment card and travel booking details as well as name and address information of 429,000 online customers being exposed. The fine of £183.39 million is the largest penalty ever issued by the ICO and is the first UK GDPR fine. The penalty amounts to 1.5% of BA’s worldwide annual turnover in 2017, less than the maximum penalty of 4%.
ICO's Second GDPR Fine in as Many Days Highlights Importance of Due Diligence in Acquisitions
By Valerie Surgenor, MacRoberts
On July 8, hot on the heels of the proposed British Airways fine, the ICO issued notice of its intention to serve a penalty notice (a fine) on Marriott International Inc (Marriott). The ICO intends to fine Marriott £99,200,396 following last year’s personal data breach whereby the data of around 339 million guests globally was exposed, with around 30 million records relating to residents of the European Economic Area, approximately seven million of which related to UK residents. Whilst Marriott did co-operate with the ICO throughout the investigation and has since taken steps to improve the security of their systems, the ICO found that Marriott did not undertake satisfactory due diligence when it acquired Starwood as this should have been uncovered in the acquisition process; and Marriott should have had more robust security measures in place to ensure the security of the systems.