Third Circuit Vacates Cy Pres Award in Cookie Litigation
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Court of Appeals for the Third Circuit recently left open the possibility of using a cy pres settlement to resolve class-action claims involving privacy disputes. The precedential decision in In re Google Inc. Cookie Placement Consumer Privacy Litig., No. 17-1480 (3d Cir. Aug. 6, 2019), vacated a proposed class-action settlement that would have effected a full release from class members without providing them any direct compensation. Instead, the settlement provided for Google to pay $5.5 million that would be distributed among the class counsel, class representatives, and six cy pres recipients selected by Google and the class. The cy pres recipients were data-privacy organizations that agreed to use the funds for research and promotion of browser privacy. The litigation involved allegations that Google Inc. violated internet users’ privacy through deceptive use of web-tracking technology.
The District Court had approved the settlement over an objection that it was unfair because of the cy pres award. The Court of Appeals declined to hold that a cy pres-only settlement can never be fair, finding that it may be appropriate in some cases. Nonetheless, the Court of Appeals criticized the District Court’s analysis that it was fair in this case, specifically as to the proposed broad class-wide release and prior connections between the cy pres recipients and the defendant and class counsel.
NIST Seeks Comments on IOT Cybersecurity Draft
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The National Institute of Standards and Technology (NIST) has published a draft cybersecurity guide for manufacturers of Internet-of-Things (IOT) devices. The guide is intended to define a core baseline of features for voluntary adoption, along with information to identify and implement additional features as appropriate so that customers can improve their IOT device security. The guide notes that its list of features is not exhaustive but is intended to work as a starting point for minimum securability. Public comments can be submitted on the document until September 30, 2019.
German Authority Investigates Facebook
By Rebecca Henderson, MacRoberts LLP
The German Competition Authority recently launched an investigation into Facebook’s collection of data on Facebook-owned platforms and combining such data with other information held by Facebook (therefore building up a much greater picture of individuals - what they like and are interested in – than they had without combining the data).
The platforms concerned all had terms and conditions, acceptance of which are a pre-condition of accessing all Facebook-owned platforms. In such terms and conditions, it was disclosed to individual users that their data across such platforms would be shared and combined for Facebook’s own purposes, however consent was never sought from data subjects for this. In response to accusations, Facebook responded that the combining of data was necessary to operate the platform(s) and therefore consent from data subjects was not required for this processing activity. The German Competition Regulator did not agree with this analysis and said that combining data from multiple platforms was not necessary (i.e. was not required/essential to deliver that service/products to individuals) and therefore the terms and conditions were unfair and effectively forced consent from data subjects as a pre-condition of accessing the platform. The German Competition Regulator concluded that the practices of Facebook sought to make their own market position more powerful and therefore limited the opportunity for other organisations to join the market.
Instead of imposing a fine on Facebook, the German Competition Regulator ordered Facebook to take certain actions, such as amending its terms of service, data and cookies policies to allow users to grant or refuse consent to external data from other sites being combined with Facebook account data; amending its data processing practices to ensure that where a user has not consented to combining data from other platforms their data will not be used in this way; ensuring that Facebooks’ platform does not exclude users who refuse to give consent for data matching; and only matching data from other platforms with consent from data subjects.
Facebook has been given an early victory in the potential outcome of the appeal against the German Competition Regulator’s decision because the Higher Regional Court in Dusseldorf said that it had “serious doubts” about the decision taken by the German Competition Regulator as the Court did not see how a contravention of data protection law could also breach competition law at the same time. However, the German Competition Authority is appealing this decision by the Dusseldorf court on the basis that the Court has misinterpreted the breadth and scope of antitrust law. Facebook does not have to implement the actions mandated by the German Competition Regulator pending the outcome of the appeal.
Swedish DPA Issues First GDPR Fine
Rebecca Henderson, MacRoberts LLP
The Data Protection Authority in Sweden (“Swedish DPA”) (Datainspektionen) has issued its first fine under the GDPR (SEK 200,000 (around $29,000)) to a school trial of facial recognition software for monitoring the attendance of students, and has warned the school against further processing in this manner.
The fine was issued for four (4) separate violations of the GDPR: The Swedish DPA stated that the school had not abided by the purpose limitation and data minimisation principles of Article 5 of the GDPR, which state that data should be collected for a “specified, explicit and legitimate” purpose and “limited to what is necessary.” As the monitoring of attendance for 22 students via facial recognition technology was not necessary (i.e. the school could have continued to monitor attendance manually (via a registration process)) the Swedish DPA found that the basic principles of the GDPR had not been followed.
Because the school was processing biometric data, this was identified as “special category data” under Article 9 of the GDPR and therefore required an additional processing condition. The school had relied on explicit consent from parents/guardians of the students and public interest grounds for the processing but the Swedish DPA did not agree that explicit consent was appropriate in the circumstances (as there was an imbalance of power between the controller and data subject).
Although the school had conducted a risk assessment into the processing, it did not consider the potential risks to the rights and freedoms of the students and therefore wasn’t an appropriate Data Protection Impact Assessment (“DPIA”) under Article 35 as would be mandated in these circumstances. Additionally, pursuant to Article 36, the Swedish DPA considered this type of processing to be “high risk” and therefore the school should have consulted directly with the Swedish DPA before implementing the trial.