The legal and regulatory landscape of data privacy and protection enforcement is developing quickly. Recent enforcement actions, adoption of state-based laws, and proposed legislation demonstrate more change is imminent. To avoid a patchwork of laws and regulations, there is a growing need for an overarching regulatory scheme. This practice point discusses recent notable activity in developing this emerging body of law and regulation.
Google Receives Record GDPR Fine
Marking the first major penalty against a U.S. technology company under the European Union’s General Data Protection Regulation (GDPR), the French data-protection authority, CNIL, has fined Google a record $57 million. Google’s violations stemmed from a lack of transparency regarding how it uses consumers’ personal information and from a failure to obtain sufficiently informed consent to use that information to personalize ads. CNIL’s investigation began on May 25, 2018—the day the GDPR took effect—in response to concerns raised by two groups of privacy activists. While the fine represents a fraction of the maximum possible penalty of $4.7 billion, the move should put other U.S. technology companies on high alert that European regulators will apply tough scrutiny under the sweeping data-protection law. Read CNIL's statement and The Washington Post article (login required) discussing the record enforcement action.
Privacy Activist Files Bevy of GDPR Complaints
The CNIL is not the only entity about which companies who gather user data should be concerned. Austrian attorney and privacy activist Max Schrems has filed several GDPR complaints with the Austrian data-protection authority, naming Amazon, Netflix, YouTube, and other major technology companies as alleged violators. The complaints allege that the companies failed to comply fully with data-subject information requests. Schrems, who leads the non-profit NOYB (none of your business), is demonstrating that privacy groups will intend to continually test companies’ compliance with the GDPR. He previously filed complaints in 2018 against Google, Facebook, Instagram, and WhatsApp. Read the Reuters article for additional details.
States Introduce Comprehensive Privacy Laws and Other Measures
Coming on the heels of the California Consumer Privacy Act (CCPA), legislation introduced in the New Mexico and Washington state legislatures would greatly expand consumer-privacy protections in those states if passed into law. The New Mexico bill (SB 176) largely incorporates the same provisions as the CCPA, while the Washington bill (SB 5376) incorporates concepts from the GDPR. One major difference is that the New Mexico bill provides for a private right of action while the Washington bill would be enforceable only by the state attorney general. The laws would take effect on July 1, 2020, and December 31, 2020, respectively.
Legislators in Massachusetts have also introduced a CCPA-style privacy law that would take effect January 1, 2023. The law provides for a private right of action, and significantly, explicitly states that a mere technical violation would provide a claimant standing to sue, which has been a heavily litigated issue under the Illinois biometric privacy law.
Other states are also looking to enact stricter privacy provisions. Legislators in New York have proposed several measures, including a private right of action for data-breach victims and a prohibition on the use of biometric data for marketing and advertising purposes. A Virginia bill would allow minors to request removal of information and impose additional restrictions on marketing, advertising, and data sharing. A law introduced in Utah would restrict government agencies’ ability to obtain personal information, and North Dakota is considering a bill that would require affirmative consent before an entity discloses personal information. Read The Information article for additional details.
The Push for National Privacy Legislation Gains Steam
In the United States, calls for nationwide federal privacy legislation continue to arise, due in part to the enforcement of the GDPR, the passage of the California Consumer Privacy Act, and various privacy-related incidents at major companies such as Facebook and Marriott Hotels. Multiple constituencies are forming to press their visions to Congress. Among the competing proposals are bills introduced by Democratic and Republican senators, a group of privacy organizations' proposal for a new federal agency, and a privacy framework of baseline protections formulated by the Information Technology and Innovation Foundation, a think tank backed by major technology companies. Counsel should be prepared to educate their clients on these proposals and chime in to help shape this quickly developing area of the law. Read the Associated Press article for additional details.
Alfred J. Saikali is a partner and the chair of Privacy and Data Security Practice at Shook Hardy & Bacon LLP in their Miami, Florida, office.