U.S.-EU Privacy Shield Replaces Defunct Safe Harbor Framework

The European Commission announced Feb. 2, 2016, that the Commission and the U.S. Department of Commerce had reached an agreement on a new trans-Atlantic data transfer framework: the "EU-US Privacy Shield" or, colloquially, Safe Harbor 2.0. The Privacy Shield replaces the former U.S.-EU Safe Harbor framework, which was struck down by Europe's highest court this past October in Schrems v. Data Protection Commissioner. In order to address European concerns about U.S. government surveillance, U.S. officials provided written assurances that intelligence and law enforcement surveillance of personal data will be subject to "clear limitations, safeguards and oversight mechanisms" and "ruled out indiscriminate mass surveillance on the personal data transferred" under the arrangement. U.S. companies receiving personal data from EU citizens must "commit to robust obligations on how personal data is processed and individual rights are guaranteed" and must publish those commitments, under the oversight of the Department of Commerce. The FTC will have the authority to enforce those obligations. To further aid in data-transfer under this agreement, on Feb. 24, 2016, President Barack Obama signed into law the Judicial Redress Act, which will allow European citizens to seek legal redress if their personal data is misused.

NYAG Settlement With Uber in Data-Breach Investigation

The New York State Office of the Attorney General Jan. 6, 2016, issued an "assurance of discontinuance" memorializing its settlement with Uber over its handling of riders' (and drivers') personal information, following the discovery of a substantial data breach in 2014. Under the terms of the settlement, Uber must encrypt riders' GPS information and adopt authentication measures before any employee can access riders' sensitive personal information. Uber also agreed to pay a $20,000 penalty for violation of New York's privacy law for failing to provide timely notice of the breach, when one of its engineers posted an access ID for the company's cloud storage on an unsecured website and Uber drivers' names and license numbers were accessed by someone unaffiliated with the company. View the decision.

ERISA Preempts Data Breach Claims

In re Anthem, Inc. Data Breach Litig., No. 15-MD-2617-LHK (N.D. Cal. Jan. 27, 2016 & Feb. 14, 2016)

In this lawsuit arising out of the breach of unencrypted protected health information, the court denied plaintiffs' request for remand in January 2016, as well as a subsequent motion for reconsideration. The court issued an 82-page decision Feb. 14, 2016, holding that the loss of personal information could constitute harm under New York's General Business Law (GBL). Although the court found that the loss of the value of personal information and of the "benefit of the bargain" are cognizable injuries under the GBL, out-of-pocket costs to protect against the consequences of identity theft and the "fear of imminent further costs" are not cognizable injuries under that law. View the decision.

After $100 Million FTC Settlement, LifeLock Settles Consumer Fraud Class

Action Ebarle v. LifeLock, Inc., No. 15-CV-00258-HSG, 2016 WL 234364 (N.D. Cal. Jan. 20, 2016)

The FTC entered a $100 million settlement in December 2015 with LifeLock, an identity theft protection provider, over claims that the company violated a 2010 federal court order requiring it to secure consumers' personal information and prohibiting the company from deceptive advertising. Apart from the FTC action, LifeLock was involved in a consumer fraud class action alleging that misrepresentations about consumers' personal data security in defendant's advertising violated Arizona consumer protection law. The class action settlement includes a $68 million fund, which the defendant can fund using part of the $100 million FTC settlement for consumer redress. View the decision.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.