chevron-down Created with Sketch Beta.

Business Law Today

January 2024

January 2024 in Brief: Internet Law & Cyber-Security

Juliet Marie Moringiello

January 2024 in Brief: Internet Law & Cyber-Security

Jump to:

Second Circuit Court of Appeals Refers Attorney Who Cited Nonexistent Case Provided by ChatGPT for Discipline Investigation

By Alan S. Wernick, Esq., Aronberg Goldgehn

In its January 30, 2024, decision in Park v. Kim, the U.S. Court of Appeals for the Second Circuit responded to an attorney who submitted a reply brief in the appeal that cited a nonexistent case that, as it turns out, the attorney obtained through ChatGPT.

The Court informed Counsel it could not locate the case and requested she furnish the Court with a copy. Plaintiff’s Counsel responded that she was “unable to furnish a copy of the decision.” The Court stated, “Although Attorney Lee did not expressly indicate as much in her Response, the reason she could not provide a copy of the case is that it does not exist – and indeed, Attorney Lee refers to the case at one point as ‘this non-existent case.’”

The Plaintiff’s counsel’s response to the Court stated, in part:

Believing that applying the minimum wage [in the relevant circumstances] under workers’ compensation law was uncontroversial, I invested considerable time searching for a case to support this position but was unsuccessful.

. . .

Consequently, I utilized the ChatGPT service, to which I am a subscribed and paying member, for assistance in case identification. ChatGPT was previously provided reliable information, such as locating sources for finding an antic furniture key. The case mentioned above was suggested by ChatGPT, I wish to clarify that I did not cite any specific reasoning or decision from this case.

The Court’s decision noted:

“Rule 11 imposes a duty on attorneys to certify that they have conducted a reasonable inquiry and have determined that any papers filed with the court are well grounded in fact, [and] legally tenable.” . . . At the very least, the duties imposed by Rule 11 require that attorneys read, and thereby confirm the existence and validity of, the legal authorities on which they rely. Indeed, we can think of no other way to ensure that the arguments made based on those authorities are “warranted by existing law,” Fed. R. Civ. P. 11(b)(2), or otherwise “legally tenable.”

(Citations omitted.)

The Court then cited the decision in Mata v. Avianca, Inc. (No. 22-cv-1461 (PKC), S.D.N.Y. June 22, 2023), an earlier case where counsel presented nonexistent court precedent generated by ChatGPT in which the opinion stated, “A fake opinion is not ‘existing law’ and citation to a fake opinion does not provide a non-frivolous ground for extending, modifying, or reversing existing law, or for establishing new law. An attempt to persuade a court or oppose an adversary by relying on fake opinions is an abuse of the adversary system” (citations omitted).

The Court of Appeals concluded that because Plaintiff’s Counsel presented a false statement of law to the Court and “made no inquiry, much less the reasonable inquiry required by Rule 11 and long-standing precedent, into the validity of the arguments she presented” (emphasis in the original), the Court referred her “to the Court’s Grievance Panel pursuant to Local Rule 46.2 for further investigation, and for consideration of a referral to the Committee on Admissions and Grievances.”

The bottom line is that attorneys (and pro se parties) in litigation citing nonexistent law to a court can lead to Rule 11 sanctions and other consequences. Citing ChatGPT or some other generative artificial intelligence (“AI”) tool as the source of the nonexistent law will not avoid these consequences.

© 2024 Alan S. Wernick and Aronberg Goldgehn.

New Jersey Expands Privacy Laws

By Jessica Varda, J.D. Candidate, Class of 2026, Louis D. Brandeis School of Law at the University of Louisville

On January 16, 2024, New Jersey Governor Phil Murphy signed Senate Bill No. 332 (Sixth Reprint) (S332), expanding data privacy obligations for controllers.

S332 defines a “controller” as “an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” S332 applies to controllers who “conduct business in [New Jersey] or produce products or services that are targeted to residents of [New Jersey]” and during the calendar year either (a) “control or process the personal data of at least 100,000 consumers” (excluding payment transactions) or (b) “control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.” Personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable person,” and it does “not include de-identified data or publicly available information.”

S332 requires controllers to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary” and to provide consumers the ability to:

  • Access, correct, delete, and obtain a copy of their personal data in a portable format, and
  • opt out of targeted advertising, the sale of personal data, and “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
    • For thirteen- to seventeen-year-olds (“where a controller has actual knowledge or willfully disregards [their age]”), consent is required for processing of personal data for the purposes of targeted advertising, the sale of personal data, and profiling with legal or similarly significant effects. Consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement.”

The law also includes specific requirements for “accessible, clear, and meaningful” privacy notices controllers must provide. Privacy notices must include information on categories of personal data processed and shared, the purpose for processing personal data, and how consumers may exercise their consumer rights. Controllers have forty-five days to respond to consumer requests, although under certain circumstances, where reasonably necessary, the controller may expand the response period by forty-five days with notice to the consumer. The New Jersey Division of Consumer Affairs is charged with promulgating rules and regulations under the law.

States including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia have passed similar laws.

SEC Approves Spot Bitcoin Exchange-Traded Products

By Brian Jones, J.D. Candidate, Class of 2026, University of Chicago

On January 10, 2024, the Securities and Exchange Commission (SEC) announced its approval of spot bitcoin exchange-traded products (ETPs). Bitcoin is the world’s largest cryptocurrency by market capitalization. Like other cryptocurrencies, it is decentralized; rather than being controlled by a centralized authority like the Federal Reserve, bitcoin is distributed in public ledgers called blockchains. ETPs are financial instruments that track the value (the “spot” price) of an underlying investment—in this case, bitcoin. Exchange-traded funds (ETFs) are the most common type of ETP. For example, many ETFs track the S&P 500, an index of 500 of the largest companies trading on U.S. stock exchanges.

The SEC had previously disapproved filings for spot bitcoin ETPs. However, in Grayscale Investments, LLC v. SEC, the U.S. Court of Appeals for the District of Columbia Circuit disagreed with one such rejection and remanded the matter back to the SEC. Subsequently, the SEC approved Grayscale’s spot ETP, as well as ETPs from ten other firms, including BlackRock and Fidelity. The SEC took care to note that its decision did not reflect a judgment on the value of bitcoin as an investment, but simply that the issuers and security listings complied with the applicable regulations under the Securities Act and Securities Exchange Act. The SEC also cautioned that this approval applies only to spot bitcoin ETPs and does not indicate a likelihood of similar results for other cryptocurrencies.

Notably, the availability of these products affords new protections to investors wishing to gain exposure to bitcoin:

  1. Disclosure Requirements

    Since the listing of these ETPs requires public registration statements and periodic filings, potential investors are required to receive “full, fair, and truthful disclosure” from issuers.
  2. Regulated Exchanges

    The ETPs will be listed on national registered exchanges, which are subject to rules designed to prevent fraud, manipulation, and conflicts of interest. The SEC closely monitors these exchanges and investigates any potential market manipulation.
  3. Competition among Issuers

    By approving ETP filings from ten other firms in addition to Grayscale, the SEC is fostering competition among the issuers, which benefits investors and promotes fairness in the market.

While recognizing the benefits of these protections, the SEC concluded its approval announcement by cautioning potential investors against bitcoin’s volatility, speculative nature, and association with illegal activity.

European Commission Approves of Canada’s Data Protection Regime (Again)

By Lisa R. Lifshitz and Roland Hung, Torkin Manes

On January 15, 2024, the European Commission (“Commission”) confirmed Canada’s adequacy status under the General Data Protection Regulation (“GDPR”). You can read the Commission’s full report setting out its adequacy decision here (the “Report”).

What is the GDPR?

The European Union (“EU”) enacted the GDPR in May 2018. The GDPR strengthens the protection of all EU citizens with respect to the transfer of their personal data and harmonizes national data privacy laws throughout the EU. The GDPR requires all companies processing the personal data of EU residents, including companies established outside the EU if they operate in the EU, to comply with the data protection rules set out therein. For example, the GDPR requires that companies obtain “specific, informed and unambiguous consent” in order to process an individual’s personal data.

What is adequacy status?

Pursuant to the GDPR, if the Commission finds that a country outside of the EU offers an adequate level of data protection, that country can obtain adequacy status. Obtaining adequacy status involves a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries, and the adoption of the decision by the European Commission. However, adequacy status may be revoked at any time if the European Parliament and the Council request that the European Commission withdraw, maintain or amend its adequacy decision.

Prior to the GDPR, eleven countries were granted adequacy status under the then Data Protection Directive 95/46/EC, namely: Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. These adequacy decisions have remained in force so far, even after the GDPR came into effect.

On January 15, 2024, following its review of the eleven existing adequacy decisions, the Commission confirmed Canada’s adequacy status alongside the other ten countries with existing adequacy status. The Report concluded that the aforementioned countries’ existing data protection frameworks are aligned with the EU’s framework and provide significant data safeguards for personal data.

The Commission found that Canada continues to provide an adequate level of protection for personal data transferred from the EU to recipients subject to Canada’s federal private sector privacy law, the Personal Information Protection Electronic Documents Act (SC 2000, c 5) (“PIPEDA”).

What does this mean for Canadian businesses?

If a country has adequacy status, personal data can flow from the EU to that country without the need for any additional data protection safeguards, such as standard contractual rules, the need for additional data processing addenda, or authorizations to transfer the data. The additional safeguard requirements could be cumbersome and onerous for some organizations. Canada’s adequacy status results in increased efficiency for Canadian businesses transferring personal data from the EU to Canada.

What’s next?

To ensure Canada continues to maintain its adequacy status under the GDPR, the federal government will need to bring its privacy laws into closer alignment with the GDPR.

Canada’s federal privacy legislation, PIPEDA, is expected to see an overhaul soon. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts known as the Digital Charter Implementation Act, 2022 (“Bill C-27”) has completed its second reading in Parliament and is undergoing consideration by the Standing Committee on Industry and Technology.

Bill C-27 introduced bold new measures that will bring Canadian privacy law into closer alignment with the GDPR. Closer alignment with the GDPR will continue to assist Canada in maintaining its adequacy status under the GDPR, allowing Canadian businesses to transfer personal information from the EU to Canada without additional data protection safeguards as discussed above.