Privacy Law Blog

Concrete Enough to Stand: Ninth Circuit Upholds FCRA Claims in Spokeo

On August 15, 2017, the Ninth Circuit delivered the latest episode in the Robins v. Spokeo saga, reaffirming on remand from the Supreme Court that plaintiff Robins had alleged an injury in fact sufficient for Article III standing to bring claims under the Fair Credit Reporting Act (FCRA).

Robins had brought a putative class action against Spokeo, which operates a “people search engine” that compiles consumer data into online reports of individuals’ personal information.  Robins alleged that Spokeo had willfully violated the FCRA’s procedural requirements, including that consumer reporting agencies must “follow reasonable procedures to assure maximum possible accuracy of the information” in consumer reports, because Spokeo’s report on Robins allegedly listed the wrong age, marital status, wealth, education level, and profession, and included a photo of a different person.  According to Robins, the inaccuracies in the report about him harmed his employment prospects and caused him emotional distress.

Read the full post on our Commercial Litigation Blog.

Indian Supreme Court Declares the Right to Privacy a Constitutionally-Protected Fundamental Right

In a landmark decision, a nine judge bench of the Supreme Court of India ruled today that privacy is a fundamental right protected by the Constitution of India.

Background

Due to the volume of cases brought before the Supreme Court of India, cases are generally heard by benches consisting of a subset of the ten justices of the Supreme Court. The question of whether there is a constitutionally protected right to privacy arose in a 2015 case brought before a three judge bench of the Indian Supreme Court challenging the legal validity of the Government of India’s Aadhaar program.  Under the Aadhaar program, the Unique Identification Authority of India (UIDAI), an Indian government authority, is charged to assign a twelve digit unique identification number (UID) to each of the over 1.3 billion residents of India.  Each resident’s UID is linked to certain biometric information of the resident including his/her photograph, fingerprints and iris scans.  The UIDs are used by the government for a variety of purposes including to eliminate fraud in connection with the dispensing of benefits under various government welfare programs.  The three judge bench in the Aadhaar case determined that to assess the case appropriately, a determination of whether the right to privacy is a fundamental right protected by the Constitution of India was required by a larger bench of Indian Supreme Court justices.  Given that the 1954 case of M.P. Sharma et al. v. Satish Chandra, District Magistrate, Delhi et al. holding that privacy is not a right guaranteed by the Indian Constitution was decided by an eight judge bench, a larger bench of nine Supreme Court justices was convened to determine whether the rationale of the M.P. Sharma judgment and others which similarly found that the Indian Constitution does not guarantee a right of privacy was based on “jurisprudential correctness.”  This bench of nine justices of the Indian Supreme Court listened to arguments presented over six long days spread over three weeks.

The Judgment

Today’s 547 page judgment by the Supreme Court of India consists of one opinion signed by four justices and five separate concurring opinions. It reads like a tome on the theory and jurisprudence of privacy law.  The judgment includes a comparative analysis of privacy laws and court judgments of the United Kingdom, the United States, South Africa, Canada, the European Union and the treatment of privacy under the European Convention on Human Rights, the European Charter and the Inter-American Court of Human Rights.  It also considers critiques of the privacy doctrine and existing Indian case law containing conflicting views on whether privacy is a fundamental right protected by the Indian constitution.

The extensive analysis conducted by the bench has rendered a decision that is unequivocal: “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 [of the Indian Constitution] and as part of freedoms guaranteed by Part III of the Constitution.”

Part III of the Indian Constitution is India’s “bill of rights” which enumerates the fundamental rights guaranteed by the Indian Constitution. Article 21 states “No person shall be deprived of his life or personal liberty except according to procedure established by law.”

In today’s ruling, the court states that life and personal liberty are not creations of the Constitution they are “rights that are recognized by the Constitution as inhering in each individual as an intrinsic and inseparable part of the human element which dwells within” and that “privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution.”  The court goes on to state that “privacy is the constitutional core of human dignity” before clarifying that like all of the fundamental rights enumerated in Article III of the Indian Constitution, the right to privacy is not an absolute right but rather is subject to permissible restrictions on fundamental rights.  A law which encroaches on the right to privacy may be valid if it is otherwise legal, it fulfills a legitimate aim of the state and it is based upon a rational connection between the objective of the law and the means adopted to achieve the objective.

Impact

Whether this case will affect the legality of the Aadhaar program remains an open question.  The court does state in its judgment that the state may have justifiable reasons for the collection and storage of data and that objective of ensuring that resources are properly deployed to legitimate beneficiaries is a valid ground for the state to insist on the collection of data. If data collected under the Aadhaar program is used for legitimate state interest and not for purposes unrelated to a legitimate state interest, the program, and the collection of personal and biometric information through the program, may be held to be legal.

Apart from the impact this case may have on deciding the legality of the Aadhaar program, the case may also impact how future cases dealing with other issues such as gay rights and abortion may be decided by recognizing that privacy includes matters to sexual orientation and procreation.

Further, as part of its judgment, the court has identified the need for the Government of India to examine and put into place a robust regime for data protection. Accordingly, today’s judgment may lead to the further development of privacy laws and regulations in India.

We will continue to monitor the development of privacy laws in India and publish updates here as appropriate.

A Year in Review: FTC Data Privacy Actions and its Impacts on 2017 and Beyond

Whether it means taking a prominent role shaping data security for the Internet of Things, or addressing high profile breaches, the FTC has adopted an active position in policing data privacy and security. And, as data becomes increasingly digital in its form and protections, data security is of paramount importance for all types of intelligence—whether financial, medical, or otherwise sensitive.  The Commission’s emphasis on these areas has not slowed, even as the composition of the Bureau of Consumer Protection changes under a new administration.  The FTC’s actions over the past year reflect that Commission’s continued emphasis on data privacy and its recent data privacy settlements have provided companies with a trail of breadcrumbs from which they can extract lessons learned and help avoid potential FTC scrutiny.

Continue Reading

The Health Care Industry Cybersecurity Task Force Prompts HHS to Issue a Revised HIPAA Breach Reporting Tool

Congress established the Health Care Industry Cybersecurity Task Force (the “Task Force”) in the Cybersecurity Act of 2015 (the “Act”) to address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents.  While all health care delivery organizations have a responsibility to secure their systems and patient data, many organizations face significant resource constraints, which hinders their ability to do so.  As a result, the public has seen an increase in ransomware attacks and large privacy breaches, which inevitably affects patient care.

Continue Reading

Update on FCC Privacy Rules

We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC adopted a new order providing guidance on reinstating the pre-2016 Privacy Order regulations. This order was issued pursuant to a joint resolution of Congress under the Congressional Review Act, signed by the President on April 3, 2017, disapproving the FCC’s 2016 Privacy Order. As a result, the 2016 Privacy Order has “no force or effect.” FCC Chairman, Ajit Pai, stated that the purpose of the new order is to “simply make clear that the privacy rules that were in effect prior to 2016 are once again effective.”

Continue Reading

What Employers Need to Know about Europe’s General Data Protection Regulation

Proskauer has released a white paper on “What Employers Need to Know about Europe’s General Data Protection Regulation.” As you may know, on April 14, 2016, the European Parliament approved the General Data Protection Regulation (“GDPR”), which will replace the EU’s current data privacy standard and begin to apply on May 25, 2018. This paper provides a broad overview of the ways in which the GDPR will change data protection regulations across the EU, focusing on employee data and how it is treated differently from consumer data. This paper also highlights key areas of change from the current state of the law and suggests proactive steps an employer may take to better prepare for May 25, 2018. This is meant as a guide to assist employers with planning for and achieving compliance before the May 25th deadline. EU data privacy is an enormous challenge for multi-national companies, and many U.S. based companies doing business in the EU are struggling with what they need to do in order to get into compliance with the GDPR with respect to collecting, processing and transferring employee data. To read Proskauer’s full white paper titled, “What Employers Need to Know about Europe’s General Data Protection Regulation” please click here.

GDPR Compliance Update: Which Government Authorities Have Issued Official GDPR Guidance?

This post provides an update as to the current status of official GDPR-related guidance. With a little under a year remaining until the European Union’s General Data Protection Regulation (GDPR) becomes enforceable, companies are on the lookout for any interpretive guidance from EU or member state authorities that will help them focus their compliance efforts. The EU’s Article 29 Working Party (WP29) thus far has adopted guidelines relating to data portability, the identification of lead supervisory authorities, and the role of data protection officers, and has issued draft guidelines on data protection impact assessments (DPIAs, also known as “Privacy Impact Assessments”). Additionally, EU member states – led by Germany –are beginning to pass laws meant to complement the GDPR and legislate in areas the GDPR leaves to the member states.  These laws also provide some clues as to how the GDPR will take effect on a country-by-country basis.

Continue Reading

LexBlog