All posts by Paul E. Paray

Consent Armageddon is coming

On November 19, 2018, the UK’s Register reported how even though the Washington Post was in technical violation of the GDPR, the UK’s privacy enforcement arm, the Information Commissioner’s Office, admitted in private emails that it was not likely going to seek extra-jurisdictionally any potential penalties.

According to the Register, the Washington Post’s online subscription options offers readers a free option (for a limited number of articles); a $6 a month option (for unlimited articles); and a $9 a month option that allows users to switch off tracking and cookies.  With the free and $6 a month options, readers, however, must consent to the use of cookies, tracking and ads.

Acting on a complaint apparently ginned up by the Register, a Case Manager from the UK ICO reviewed these policies and purportedly decided they were in violation of applicable privacy law.  (“I am of the view that the Washington Post has not complied with their Data Protection obligations.   This is because they have not given users a genuine choice and control over how their data is used.”).

Pushing aside the fact the pricing model set forth in the article may be stale – the current pricing is apparently set at a higher rate, and the fact EU residents can apparently opt out of the WaPo’s terms that may be in violation of GDPR, the article still brings home a very important point, namely that consent cannot truly be “freely given” when it is given only in response to a threatened change in pricing.

By way of background, Article 7 (4) of the EU’s GDPR states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”  By charging a different price for the same services based solely on whether consent is given, there is certainly technical violation of GDPR.

Moreover, under the recently enacted Section 1798.103 (“Right to Equal Service and Price”) of the California Consumer Privacy Act, this alleged violation is made even more stark:  “A business shall be prohibited from discriminating against a consumer because the consumer requested information pursuant to sections 1798.100 or 1798.101, or because the consumer directed the business not to sell the consumer’s personal information pursuant to section 1798.102, or because the consumer exercised the consumer’s rights to enforce this Act, including but not limited to, by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. . . .”

Whether by way of GDPR or CCPA – or other laws still not enacted, companies will eventually be tested on the adequacy of “freely given” consents.  And, the extra-jurisdictional limitations of GDPR will certainly not curtail US enforcement under an even more direct CCPA.  In other words, despite what others may suggest, marketers and others embedded in the digital ad ecosystem should likely get their consent proofs in order – especially as “big brands continue to redirect their ad spend and adapt their advertising practices to the GDPR.”

Between the recent 60 Minutes GDPR feature with Max Schrems – an educational piece that can only further draw consumer ire, or the actual four Complaints filed by Schrems that will likely resolve these issues, a Consent Armageddon is headed our way beginning in 2020 – the year CCPA also comes online and GDPR enforcement efforts will be more fully staffed.    More importantly, with the proper mechanisms in place, sometime after 2020, data subjects will finally have the power to fully exert ownership and controlled use of their own data – a property class that should be treated no differently than gold or silver.

Apple’s CEO rails against the “data industrial complex”

Tim Cook was on fire in Brussels giving his October 24, 2018 keynote speech at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC).  As reported by TechCrunch, Mr. Cook targeted Google and Facebook when he said: “Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency. . . These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold.”

He played to his appreciative EU audience when he said:  “We should celebrate the transformative work of the European institutions tasked with the successful implementation of the GDPR. . . . It is time for the rest of the world, including my home country, to follow your lead. . . . [Apple] is in full support of a comprehensive, federal privacy law in the United States”.

Cook argued for a federal US privacy law that would prioritize four things:

  1. Data minimization — “the right to have personal data minimized” or not collect it in the first place;
  2. Transparency — “the right to know what data is being collected and what it is being collected for” to “empower users to decide what collection is legitimate and what isn’t”;
  3. The right to access — given “data belongs to users” it should be made easy for users to get a copy of, correct and delete their personal data; and
  4. The right to security — given “security is foundational to trust and all other privacy rights”

According to Cook, the creation of extensive digital profiles “is surveillance.  And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us uncomfortable.”

After he dropped his mic, Cook quickly went on Twitter to double down on his speech:

It is not clear how his obviously well-thought out position will ultimately impact Apple’s bottom line.  As previously observed, Apple has a natural symbiotic relationship with the social media platforms given “the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day.”

Whether Cook is ultimately bluffing for PR points or believes his company’s lobbying can ultimately finesse any future legislative effort is beside the point.    The most powerful tech company in the world has just thrown down the gauntlet for a unified US privacy regime.  No different from the recently-enacted bipartisan anti-opioid abuse law, consumer privacy is a bipartisan issue so it is likely Congress will eventually come together to pick up Mr. Cook’s heavy glove.  And, for that Mr. Cook deserves another loud round of applause.

Gilder’s Life after Google

Even though one online reviewer called it “[a] random walk through Silicon Valley without any goal, valuable information, conclusions or anything other than what would fit a gossip magazine”, Gilder’s book provides a grand thesis with very deliberate underpinnings.  There are certainly many other books and articles out there that better inform regarding blockchain.  Nevertheless, Gilder explains exactly why blockchain will in the future help cause Google lose its digital stranglehold.  For that, his book largely stands alone.

Gilder has had close access to the elite tech digerati for decades. There is no denying he knows what and who he is talking about. The writing style, however, will not be everyone’s cup of tea.  For example, applying a straw man style, he often builds up only to take down later in the book. This can easily be frustrating to readers.  Also, an imagined meeting with Satoshi Nakamoto – the pseudonymous founder of Bitcoin, can either be considered a highlight of the book or downright hokey based on one’s literary taste.

To Gilder, Google’s downfall largely rests on its giving away free products without fully understanding how this zero-sum system neglects the value and impact of consumer time on Google’s $30 billion dollar Siren Servers – a Jaron Lanier term used to convey the eventual death spiral of a company blinded by its 75,000 server farm.  Gilder reminds:  “Without prices, all that is left to confine consumption is the scarcity of time”.

Interestingly, Jaron Lanier as well as Peter Thiel feature predominately in this book as the existential fodder for much of Gilder’s musings. The true sparkle, however, remains pure Gilder – including his view that Google’s fall is precipitated on the behemoth’s not fully understanding true wealth can only be a product of knowledge.  As Gilder suggests, “wealth is not a thing or a random sequence. It is inextricably rooted in hard won knowledge over extended time.” How he eventually connects the many dots found in the book is worth the read despite the haphazard approach.  And, despite valid style criticisms, given so few are walking down this exact path, Gilder’s trailblazing can only be lauded.

Using pokes and outright direct digs on failed exercises of socialism and a “World Saving” Artificial Intelligence fealty pursued by Elon Musk, Gilder’s libertarian bent thankfully expresses a brighter vision where creativity and humanity win out.  He is on point – just ask Tim Berners-Lee about his startup, Inrupt to get additional perspective on Google.  And, the decentralized web ecosystems exemplified by Blockstack and Hashgraph are certainly aimed at tearing down the current global ecosystems founded by the Tech Lords of Cali.  Ultimately, in futurist Gilder’s vision, individuals win when they can more easily trust and be secure in their interactions.

Those seeking an actual name for the specific Google killer app will be disappointed. This book does not tell its readers which business vision will launch the “killer app” required to actually break the status quo.  Readers are provided with an abstract roadmap lacking in specific directions because no specific killer app has been publicly announced yet and will likely not be released for another 24 months.

AT&T crypto theft case may hasten new insurance exclusions

On August 15, 2018, crypto-enthusiast Michael Terpin filed a 69-page Complaint against AT&T in the Central District of California.  This federal action – a fifteen-count missive from Greenberg Glusker, seeks compensation of $24,000,000 for stolen cryptocurrencies as well as punitive damages in the amount of $200,000,000.  Terpin’s counsel seeks to get around standard contractual limitations and arbitration language by claiming that AT&T violated every possible California consumer statute on the books.

At its essence, the lawsuit alleges AT&T did not “implement and maintain reasonable security procedures and practices” regarding personal information and protect it “from unauthorized access, destruction, use, modification or disclosure” as evidenced by a “January 7, 2018 SIM swap fraud” conducted by a criminal who was able to convince an AT&T store employee to give him Mr. Terpin’s SIM card.  Complaint ¶ 238.

In order to obtain recovery in federal court, Terpin’s counsel will have to get around standard ADR language and damages limitations typically found in mobile carrier agreements.  More than likely, the valiant efforts of Greenberg Glusker will be to no avail – with the eventual result this case will move down the well-traveled road of arbitration without any punitive damages or massive discovery in sight.  The Supreme Court authority for such a result is quite extensive and may be why the Complaint is written in such flowery and emotional prose.

No matter what forum eventually takes on this case, it raises numerous issues that percolate beyond the four corners of the Complaint.  For example, will AT&T’s insurer eventually defend or pay out on this claim?  If so, which coverage grants will be triggered?  And, if there is coverage, will ISO or major insurance carriers develop a standard insurance exclusion to bar cryptocurrency theft claims in the future?   As it moves through the California federal court system, this case will definitely have consequences for corporations well beyond AT&T.

EU-US Privacy Shield may soon be suspended

The EU-US Privacy Shield may finally be in actual jeopardy.  It was previously thought that given the high stakes, this data transfer accommodation implemented as a replacement for the judicially invalidated Safe Harbor program was too important an agreement to be withdrawn and that only another judicial ruling could render its death knell.  That is no longer the case.   A vote today by the European Parliament made sure of that.

As reported by the IAPP,  on July 5, 2018 the European Parliament passed a non-binding resolution by a vote of 303 to 223 votes and 29 abstentions to have the European Commission suspend the EU-US Privacy Shield “unless the U.S. is fully compliant” by September 1, 2018.    This is the second September review of the EU-US Privacy Shield.

Between the GDPR requirements left out of the EU-US Privacy Shield, the Cambridge Analytica fiasco that still dogs Facebook, the US’s adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – a statute that expressly allows access to trans-border personal data, the US’s pulling out of the Iran deal despite strong pressure from the EU, and the current tariff barbs being sent across the Atlantic, the long-term health of EU-US Privacy Shield can no longer be considered a given.   Companies who have been reliant on this data transfer accommodation should certainly consider alternatives as soon as possible.

New California law provides statutory damages for data incidents

With the June 28, 2018 signing of The California Consumer Privacy Act of 2018, data breach class counsel are rejoicing that they finally have a private right of action backed with statutory damages.  Even though there were previous statutory remedies for privacy violations, the recent California law has gone where no other law has gone before by expressly providing a private right of action for a data breach that also allows for a minimum statutory amount.  Not surprisingly given it was the first state to pass a breach notification law, the California legislature again led the way.

After certain data incidents involving the loss of consumer data, California consumers will have beginning on January 1, 2020 a private right of action that can also be brought on a class-wide basis.   Specifically, any consumer whose unencrypted or nonredacted personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages.”   Section 1798.150(a)(1).

Despite being groundbreaking, there are still numerous hurdles class counsel must surmount before a class can be certified.  For example, the private right of action may not be allowed unless the compromised information is subject to unauthorized use.  Section 1798.150(a)(1).   Accordingly, those incidents where unauthorized use is not in issue are not subject to the statute.

Moreover, the law can only be used against a business with “gross revenues in excess of twenty-five million dollars ($25,000,000)” or one that purchases personal data on “50,000 or more consumers, households, or devices” or one that “derives 50 percent or more of its annual revenues from selling consumers’ personal information.” Section 1798.140(c).

Curiously, the law allows a business to “cure” its security violation; and thereby avoid suit, but leaves to the imagination exactly how that curing process would play out.   Section 1798.150(b)(1).

And finally, this private right of action can be withdrawn if the California Attorney General files its own suit after being provided notice of a consumer’s lawsuit.  Section 1798.150(b)(3).   The AG’s office has 30 days to decide whether or not to file suit after being provided with the consumer’s lawsuit notice.

Notwithstanding the last-minute changes made to this last-minute statute, it still provides California consumers with the country’s most expansive statutory privacy rights– rights that will be immediately deployed by class counsel after 2020.   Most analysis on this new law, however, has focused on comparing it to the EU’s GDPR privacy regime – a recently implemented privacy regime that impacts many  US-based companies.    In addition to the privacy requirements, companies processing significant amounts of consumer personal data should also take the class action risk very seriously and if they do not already purchase insurance for that risk, they should at least evaluate transferring some of this liability risk by way of the privacy and data security insurance long been available to most any company.

UPDATE:  September 28, 2018

SB211 was signed into law largely to “technically correct” errors in the law but nevertheless made two significant changes to Section 1798.150 when it removed the prior requirement that consumers notify the Attorney General prior to bringing any action for a data breach and removed the prior requirement that the Attorney General could bar consumer plaintiffs from bringing suit.  These two significant changes will certainly make for a very interesting class action year in 2020.

UPDATE:  February 26, 2019

On February 22, 2019, a proposed amendment to the law was proposed that would do away with a cure provision, expand the statutory damages provision to any violation of the law, and limit the role of the Attorney General in policing violations.  If passed, these changes will significantly alter the reach of the law by making the plaintiff’s bar’s arsenal even wider and the law’s penalties that much stronger.

Supreme Court sides with privacy advocates in Carpenter

On June 22, 2018, the United States Supreme Court ruled that obtaining cell-site location information without a probable cause warrant violates the Fourth Amendment despite the fact there were no actual associated property rights in the data.   In writing for the majority, Chief Justice Roberts sided with the liberal wing of the Court and against those Justices looking to affirm the robbery conviction in question.  Justice Gorsuch’s Dissent correctly points out, however, that the “most promising line of argument” available to Carpenter was not well-developed by Carpenter, namely that he had positive property rights in his geo-location data.  Gorsuch, J., Dissent at 21.   Instead, the Majority ruled there was a reasonable expectation of privacy in the data in question despite the lack of any available property rights.

This decision could have been a potential clarion call regarding privacy rights well beyond that found in a Fourth Amendment context.  Instead of confirming the data’s true value – again, as a positive property right, the Majority determined that a third-party’s access and consent to use the data in question did not negate the data’s ability to give rise to a reasonable expectation of privacy – in effect, carefully distinguishing the so-called third party doctrine previously applied by the Court.  In so doing, the Majority carefully parsed precedent on this issue – now giving it a second tier analysis status, rather than outright reject it as apparently sought by Justice Gorsuch in his Dissent.  Gorsuch, J., Dissent at 5 – 8.

Recognizing the contortions taken by the Majority, Justice Alito fairly screamed for Congressional intervention given this perceived affront to existing Fourth Amendment precedent.  Alito, J., Dissent at 27 (“Legislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”).

On April 17, 2018, the Court previously dismissed another matter involving application of the Stored Communications Act and “rapidly changing technology” given Congressional intervention on the issue rendered moot the question before the Court.  Given that the Carpenter Majority’s Constitutional analysis may leave little room for future Congressional intervention, subsequent courts will have to grapple with deciphering the potential import of this decision – a decision with a remarkable four separately written dissents.

For example, what exactly constitutes a “a comprehensive chronicle” of defendant’s past movements or how will heretofore unknown future non-property “privacy rights” give rise to a reasonable expectation of privacy?  Justice Gorsuch was correctly very much concerned about the uncertainty springing from this decision.  See Gorsuch, J., Dissent at 12 (“In the end, our lower court colleagues are left with two amorphous balancing tests, a series of weighty and incommensurable principles to consider in them, and a few illustrative examples that seem little more than the product of judicial intuition.”).

Despite how the Court in Carpenter references location-based tracking as some sort of newfound innovation, location-based tracking has been a percolating privacy issue for more than seven years.  To that end, even though privacy advocates and criminal defense lawyers may very well bask in this decision for years to come, by the Court not clearly ruling how certain privacy rights can give rise to a positive property right under the Fourth Amendment, privacy advocates may have actually lost a more impactive battle they could have won.

More specifically, if the ACLU – on behalf of Mr. Carpenter, had fully argued the more appropriate positive law approach discussed by  Justice Gorsuch we may all be reading a 6-3 decision that found privacy rights in data can indeed give rise to property rights under the Fourth Amendment.  Gorsuch, J., Dissent at 21 (“Before the district court and court of appeals, Mr. Carpenter pursued only a Katz“reasonable expectations” argument. He did not invoke the law of property or any analogies to the common law, either there or in his petition for certiorari. Even in his merits brief before this Court, Mr. Carpenter’s discussion of his positive law rights in cell-site data was cursory. He offered no analysis, for example, of what rights state law might provide him in addition to those supplied by §222. In these circumstances, I cannot help but conclude — reluctantly — that Mr. Carpenter forfeited perhaps his most promising line of argument.”).  For now, privacy advocates will have to be satisfied with the actual ruling before them – one that leaves the door quite open to future expansions of the “reasonable expectation of privacy”.

OCR wins $4.3 million HIPAA Victory against MD Anderson

On June 18, 2018, the the Office for Civil Rights (OCR) posted a press release announcing its summary judgment victory against the University of Texas MD Anderson Cancer Center (MD Anderson) – a ruling that will require MD Anderson to pay $4,348,000 in civil money penalties to OCR.   According to the press release, this is only the second HIPAA summary judgment victory in OCR’s history and the $4.3 million is the fourth largest amount ever awarded to OCR for HIPAA violations.

The June 1, 2018 Administrative Law Judge’s decision ultimately hinged on a stolen unencrypted laptop and several lost unencrypted USB thumb drives containing “identifying information such as patient names, addresses, and Social Security numbers; and clinical information such as diagnoses, assessments, prognoses, and treatment regimes” of a total of 33,500 individuals.  Decision at 2.

The hefty fine was based on the fact MD Anderson knew encryption was an essential risk management tool since 2006 yet did not get around to fully deploying encrypted devices until after the losses in question.  According to the ALJ, MD Anderson before then made only “half-hearted and incomplete efforts at encryption”.  Decision at 5.

According to the ALJ:

The question is whether Respondent took the necessary steps to address the risk that it had identified – the potential for data loss due to the storage of ePHI on unencrypted devices. As I have explained, the failure to address that risk is the sum and substance ofRespondent’s noncompliance. Had it done so, then unauthorized acts by Respondent’s employees might be relevant to the issue of compliance. But, failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.

Decision at 14 (emphasis in original).

This latest OCR action may very well be appealed given the jurisdictional arguments made by MD Anderson.  No matter what the final appellate result, however, the ruling should slam the lid on any covered entity ever questioning again whether encryption is worth the cost of deployment.     Whether it is from a state enforcement action or OCR settlements based on vendor negligence, laptops stolen from a car, or a USB thumb drive improperly taken from an IT department, when it comes to encryption an ounce of prevention is definitely worth at least a pound of cure.

Facebook and Google face GDPR complaints on day one

Privacy activist Max Schrems is at it again.   Early morning on May 25, 2018, Mr. Schrems’ group – (none of your business), filed complaints in four EU member countries claiming that the purported GDPR consents now obtained by Facebook and Google are impermissible “forced consents” given they provide nothing more than a take it or leave it proposition for users.  Facebook previously launched a campaign claiming that it was fully on board with GDPR despite the risks entailed in these “pop up consents”.

Max Schrems  should not be underestimated – he single-handedly forced a replacement to the former EU Safe Harbor regime.    The Safe Harbor regime previously governed data transfers between the US and EU but was invalidated on October 6, 2015 in a case brought by Mr. Schrems in the EU Court of Justice.

Mr. Schrems’ most recent actions go at the heart of the current online advertising duopoly and his actions against Facebook and Google should be taken seriously by them given Schrems’ prior successes and the fact he may very well be correct in his assessment of GDPR – a privacy regime that is purposefully ambiguous in the area of consent.

Consensus 2018 blockchain event exceeds expectations

After attending the largest early adopter tech conferences conducted over the past thirty years – from Internet World, VR World, COMDEX, CES, RSA, Game Developers Conference, etc., it is easy to say Coindesk’s recent Consensus 2018 Conference – the foundation for NYC’s “Blockchain Week”, was one of the largest gatherings of early technology adopters and backers ever packed in a single location.  Almost beside the point, Consensus 2018 was also easily the largest blockchain event to date.

Despite exceeding pretty much all expectations, it was not, however, without some controversy.  Noticeably absent from the event was Vitalik Buterin as well as any Ethereum presence other than a scheduled announcement and booth presence for the Enterprise Ethereum Alliance.  The visionary Buterin boycotted the event given disagreements with the sponsor and a purported grievance with the  $2,999 price tag  – despite the fact Mr. Buterin himself could have bought tickets for all 8400+ attendees if he wanted.  Buterin’s thought leadership and insights were certainly missed so hopefully next year there will be some sort of peace accord that brings him back into the fold.

According to the emcee for the event – a Brit anxiously pacing up and down with the obligatory iPad seemingly issued to all tech conference emcees, half of the attendees hailed from outside the United States.  In fact, meals and private meetings were enjoyed with folks visiting from South Korea, Australia, Finland, Switzerland, Portugal, Brazil, Berlin, Hong Kong, Vancouver, and Toronto – and that was only on the first of two attendance days.  Unlike what was shown by the early days of the web ecosystem, this gathering more than anything concretely demonstrates that any decentralized ledger future will be shaped by those outside the United States as much as by persons located within its borders.

The caliber of the audience – more so than the speakers, also demonstrates that the financial and professional institutions who missed out on the web ecosystem’s early brick laying are avoiding past mistakes.  Sensing just how disruptive things may soon get, they were out in full force – with Deloitte leading the Big Four charge and the purported naysayer JP Morgan having a sophisticated presence from New York and London.   Notwithstanding the fact the exhibit hall was stacked with ICO and ICO-wannabee companies that will likely go away in a few years, foundational companies were front and center promoting the tools and business models needed before blockchain can be digested by the masses in any meaningful way.

While companies wait to “cross the chasm”, investors are taking sides by investing in token economies and novel ramp up technologies.   And, after the speculative sheen has faded, the lasting result will be efficiencies in commerce one could only have dreamt about a few years ago.    Simply put, the “trust protocol” that will eventually be layered on top of our current digital ecosystem will create new opportunities for pretty much any company willing to listen and adapt.