Privacy Law Review – What You Need to Know (July 2021)

The Privacy Section’s Legislation Committee has continued to review legislation proposed by the California State Senate and Assembly. Though many of the privacy-related bills proposed at the outset of this year’s legislative session did not survive, some have continued to move and we are discussing the impact they may have. Our members are also engaged in preparing “crosswalks” between California laws and other state (such as Virginia) and international (such as GDPR and LGDP) laws, and in reviewing initiatives such as the ABA’s resolution on privacy law. As previously noted, in the coming months, we will spearhead the Privacy Section’s efforts on submitting comments on proposed CPRA regulations. If you’re interested in getting involved in the committee, please email co-chairs Elaine Harwell at elaine.harwell@procopio.com or Mallory Jensen at mallory.jensen@gmail.com.

Here are summaries of two of the bills that are still active that we are reviewing.

• SB 41 (Privacy: genetic testing companies; proposed by Senator Tom Umberg): This bill would establish the Genetic Information Privacy Act (GIPA). GIPA would require a direct-to-consumer genetic testing company (e.g., 23andme) to: (1) provide consumers with certain information on the companies’ policies for collecting and using genetic data; and (2) obtain express consent for collection, use, or disclosure of such data, including separate consent for uses beyond the primary purpose and for transfers to third parties. Such companies must also provide a way for consumers to revoke their consent, and if any consumer revokes consent the company must delete the biological sample provided by the consumer within 30 days; moreover, the company may not discriminate against the consumer for exercising the right to revoke consent, or any other right provided for in the bill. GIPA also requires genetic testing companies to implement “reasonable security practices and procedures” to protect the genetic information. Notably, companies subject to GIPA are prohibited from releasing genetic data to any companies making decisions regarding various forms of insurance or employment or companies advising other companies making such decisions, except in limited scenarios. GIPA does not apply to medical information, health care providers, or business associates subject to HIPAA or certain other laws, and does not apply to certain scholarly and research activities. There is no private right of action, but the fines for violation (up to $10,000, for willful violations) are paid to the affected individual.  
  
• AB 419 (Criminal procedure: victim and witness privacy; proposed by Assemblymember Laurie Davies): Existing law generally prohibits an attorney from disclosing to a defendant (or anyone else) the address or telephone number of a victim or witness whose name is disclosed to the attorney through discovery. This bill would broaden the scope to prohibit disclosure of any personal identifying information of the witness or victim. PII is defined under the bill to include a broad range of identifiers including biometrics, credit card numbers, account numbers, “or an equivalent form of identification.” In other words, the bill increases a criminal attorney’s compliance obligations by increasing the types of information about victims and witnesses that cannot be disclosed. Though criminal attorneys are already under an obligation to keep names and certain other details private, this bill will broaden the scope of what they must keep confidential.

On June 25, 2021, the Supreme Court reversed the Ninth Circuit in TransUnion LLC v. Ramirez, No. 20-297, holding that the members of a class lacked standing to bring claims under Fair Credit Reporting Act (FCRA) against TransUnion, a major credit reporting agency. It held that the class members lacked standing because they failed to show that the defendant had disclosed false information in their credit reports or alleged only mere “formatting” errors in their reports. The decision likely limits the scope of “concrete harms” that qualify to establish standing under Article III to those that are “traditionally recognized” as providing a cause of action. The decision may have far-reaching effects on Congress’s ability to establish private rights of action for privacy harms.

The lead plaintiff in TransUnion filed a class action, alleging that TransUnion incorrectly indicated that his name matched a list maintained by the Office of Foreign Assets Control (OFAC) of “specially designated individuals” who pose a threat to national security. The plaintiff had requested his credit file from TransUnion, and although the file he received contained a summary of his rights as required by FCRA, it did not mention the OFAC alert. Shortly after, the plaintiff received a letter from TransUnion stating that his name was “considered a potential match to names on the OFAC list.” The letter, however, did not include a summary of his rights. Slip Op. at 5.

FCRA seeks to protect consumer privacy in credit reporting and imposes “a host of requirements” concerning the creation and use of credit reports. Slip Op. at 1. In the class action, the lead plaintiff alleged that TransUnion violated FCRA by failing to: (1) follow “reasonable procedures” to ensure the accuracy of information in his credit file, (2) provide him with his complete credit report, and (3) provide a summary of his FCRA rights “with each written disclosure” as required by the act. A jury returned a verdict for the class on each claim, and the Ninth Circuit affirmed. On certiorari before the Supreme Court, TransUnion argued that the class had not suffered a concrete harm and lacked standing under Article III. The Supreme Court generally agreed and reversed the Ninth Circuit. Slip Op. at 5-6.

In its reasoning, the Supreme Court noted that standing under Article III requires a “concrete harm” that must be “real, and not abstract.” According to the Court, “concrete harm” requires courts to assess “whether the alleged injury to the plaintiff has a ‘close relationship’ to a harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” Those “traditional” harms not only include physical and monetary harms, but also “[v]arious intangible” harms, including reputational harms, intrusion upon seclusion, and disclosure of private facts. Although the Court had previously recognized that “both history and the judgment of Congress play important roles” in assessing concrete harm, Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016), the TransUnion Court clarified that Congress’s creation of a cause of action does not suffice to create a concrete harm. The Court stated, “Congress may create causes of action for plaintiffs to sue defendants who violate those legal prohibitions or obligations. But under Article III, an injury in law is not an injury in fact. Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” Slip Op. at 9-11.

The Court held that only a small portion of the class had established concrete harm. The Court first turned to the class’s claim that TransUnion failed to take “reasonable procedures” to ensure the accuracy of their credit reports. Of the 8,185 class members, TransUnion had disclosed the false OFAC notice to third parties for 1,853 class members; that harm bore a sufficiently “close relationship” with the “tort of defamation” to qualify as a concrete harm. Slip Op. at 17. However, the remaining class members—whose false OFAC alerts were not disclosed—did not suffer a concrete harm. Quoting Judge Tatel, the Court stated, there is “no historical or common-law analog where the mere existence of inaccurate information, absent dissemination, amounts to concrete injury.” Slip Op. at 18.

For the remaining two claims that TransUnion failed to provide either complete credit reports to the class members or summaries of their rights under FCRA—which the Court deemed “formatting errors”—the Court concluded that the class failed to establish any evidence of harm. They did not establish that they failed to receive any information or that the receipt of the information in multiple mailings prevented them from exercising their rights. Thus, the “formatting” errors were “bare procedural violation[s], divorced from any concrete harm.” Slip Op. at 25-26 (quoting Spokeo).

It remains for the lower courts to apply the framework in TransUnion. However, the Court’s language marks a departure from its existing precedent, seemingly establishing “traditionally cognizable” harms as preeminent in the standing analysis over the “judgment of Congress.” The decision will likely raise questions about Congress’s ability to create private rights of action to address new harms, such as privacy violations. Nonetheless, potential avenues remain. The Court expressly included intrusion upon seclusion and disclosure of private facts as “traditionally” cognizable harms. Further, TransUnion applies only to private suits brought federal courts – the state courts remain open to plaintiffs, including those bringing federal claims, and enforcement by the Executive Branch agencies remains available as well.

Across the Atlantic, the European Union (EU) kept many privacy attorneys on their toes during the month of June.  In that month, the EU not only issued new Standard Contractual Clauses (SCCs) but also granted two Adequacy Decisions to the United Kingdom (UK).  Additionally, the European Data Protection Board  (EDPB), issued recommendations for transferring personal data outside of the EEA. This update is intended to be a high-level overview of the recent privacy developments in Europe.

The New SCCs

On June 4, the EU issued for the first time new SCCs since the development of the General Data Protection Regulation (GDPR) entered into force.  SCCs provide a legal basis to facilitate cross-border transfers of personal data between entities within the European Economic Area (EEA) to entities in countries outside the EEA (also known as third countries).   SCCs can ensure that data transfers meet the basic requirements of the GDPR and that the necessary “appropriate safeguards” are in place.

As opposed to the single modal clause that is used for every type of personal data tranfser, there are now four different model clauses designed for a broad range of scenarios: controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller.

Applicability:  The new SCCs are only applicable for situations where the data importer would not be directly subject to the extraterritorial scope of the GDPR for the processing operation at hand. The effect of this is that data importers with a processing operation subject to the GDPR will now likely need to assess their onward transfers, becoming a data exporter when using processors as part of their processing.

Important Dates: 

• June 27, 2021:  The new SCCs can be used;
• September 27, 2021:  The old SCCs may no longer be used in new contracts.
• December 27, 2022: The old SCCs will become invalid, and the new SCCs must be used.

Schrems II:  As it was noted in the EU’s press release, the SCCs reflect new requirements under the GDPR and take into account the Schrems II judgement of the Court of Justice, “ensuring a high level of data protection for citizens.”  For example, the new SCCs have a section dedicated to the data transfer risk assessment, which organizations must conduct to take into account government surveillance and access laws.

The EDPB Recommendations:

On June 21, the EDPB released its Recommendations for supplementary measures when transferring personal data out of the EEA, recognizing that  “[s]tandard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum.”

With the Schrems II judgment in mind, the recommendations remind “us that the protection granted to personal data in the [EEA] must travel with the data wherever it goes.” Recognizing that the judgment requires controllers or processors acting as exporters to conduct “a case-by-case analysis of whether the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools,” the recommendations offer exporters a six-step process to help with this heavy lift: 

1. Know Your Transfers: Review all data transfers on a case-by-case basis.
2. Verify the Transfer Tool: For example, is the tool being used an Adequacy Decision, an SCC, a set of Binding Corporate Rules, Ad-Hoc contracts, or a Code of Conduct?
3. Assess:  After choosing the transfer tool(s), a third-country assessment should be conducted to take into account whether “there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools,” such as, international data privacy commitments (e.g., Convention 108), local data protection laws, redress mechanisms, or government access and surveillance laws.
4. Identify and Adopt Supplementary Measures: (Perhaps the most challenging) In adopting supplementary measures, the exporter should take into account the complexity of data flow, any onward transfer, the size of the data, and type of personal data. In doing this, the exporter can adopt a variety of measures, which could be legal, operational, or technical in nature.
5. Take any Formal Steps: Depending on the mechanisms selected, you may need to consult a competent supervisory authority.
6. Re-Evaluate: Regular reviews and updates are needed.

Two Adequacy Decisions for the UK

On June 28, the UK received two Adequacy Decisions from the EU Commission: one under the GDPR and another under the European Law Enforcement Directive. 

An Adequacy Decision for the UK means that the country’s data protection laws offer an “essentially equivalent” level of protection to that in the EU.  These adequacy decisions ensure that data may flow freely from the EU to the UK without the need of any additional transfer mechanisms or safeguards.  These Adequacy Decisions were heavily influenced by the the Court of Justice of the European Union’s Schrems II decision, which invalidated the the EU-U.S. Privacy Shield framework as a valid trans-atlantic personal data transfer mechanism.

The Adequacy Decisions will be valid until 2025, which is when the Commission has an opportunity to review and renew the decisions; however, the Adequacy Decisions may be repealed if it is determined that data protection and legislation practices of the UK no longer align with the GDPR.  Without a doubt, special attention will be given to how the UK will handle onward transfers to other third countries, especially the U.S.

On July 7, 2021, Colorado’s governor signed the Colorado Privacy Act (“CPA”), which will go into effect on July 1, 2023.  This makes Colorado the third state to pass comprehensive consumer privacy legislation, following California and Virginia.

The CPA is similar to the models in place in California (the California Consumer Privacy Act (“CCPA”) and newly-minted California Privacy Rights Enforcement Act (“CPRA”)), and Virginia (the Virginia Consumer Data Protection Act (“VCDPA”)).  The new law gives Colorado residents the right to access, correct, and delete the personal data held by organizations subject to the law.  Colorado residents will also have the right to opt-out of the processing of their personal data for purposes of targeted advertising, sale of their personal data, and profiling.

Like the VCDPA (and unlike the CCPA), the CPA will not provide a private right of action, it is enforceable only by the Colorado Attorney General or state district attorneys.  And, unfortunately for businesses who must comply with the law, the required process for responding to a consumer privacy requests differ in all three states.

The CPA also contains some provisions apparently modeled after the European Union’s General Data Protection Regulation (“GDPR”), such as the requirement to conduct data protection assessments.  Companies that are GDPR compliant should therefore have an advantage when it comes to CPA compliance.

The CPA gives the Attorney General rulemaking authority to resolve any ambiguities in the statue, for example how businesses should implement the requirement that consumers have a universal mechanism to easily opt out of the sale of their personal data by July 1, 2023.