All posts by Paul E. Paray

Behavioral Advertising, Media, Privacy, Social Media

Apple’s CEO rails against the “data industrial complex”

Tim Cook was on fire in Brussels giving his October 24, 2018 keynote speech at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC).  As reported by TechCrunch, Mr. Cook targeted Google and Facebook when he said: “Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency. . . These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold.”

He played to his appreciative EU audience when he said:  “We should celebrate the transformative work of the European institutions tasked with the successful implementation of the GDPR. . . . It is time for the rest of the world, including my home country, to follow your lead. . . . [Apple] is in full support of a comprehensive, federal privacy law in the United States”.

Cook argued for a federal US privacy law that would prioritize four things:

  1. Data minimization — “the right to have personal data minimized” or not collect it in the first place;
  2. Transparency — “the right to know what data is being collected and what it is being collected for” to “empower users to decide what collection is legitimate and what isn’t”;
  3. The right to access — given “data belongs to users” it should be made easy for users to get a copy of, correct and delete their personal data; and
  4. The right to security — given “security is foundational to trust and all other privacy rights”

According to Cook, the creation of extensive digital profiles “is surveillance.  And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us uncomfortable.”

After he dropped his mic, Cook quickly went on Twitter to double down on his speech:

It is not clear how his obviously well-thought out position will ultimately impact Apple’s bottom line.  As previously observed, Apple has a natural symbiotic relationship with the social media platforms given “the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day.”

Whether Cook is ultimately bluffing for PR points or believes his company’s lobbying can ultimately finesse any future legislative effort is beside the point.    The most powerful tech company in the world has just thrown down the gauntlet for a unified US privacy regime.  No different from the recently-enacted bipartisan anti-opioid abuse law, consumer privacy is a bipartisan issue so it is likely Congress will eventually come together to pick up Mr. Cook’s heavy glove.  And, for that Mr. Cook deserves another loud round of applause.

Behavioral Advertising, Blockchain, Digital Assets, DLT, Intellectual Property, Privacy, Social Media, Technology Law

Gilder’s Life after Google

Even though one online reviewer called it “[a] random walk through Silicon Valley without any goal, valuable information, conclusions or anything other than what would fit a gossip magazine”, Gilder’s book provides a grand thesis with very deliberate underpinnings.  There are certainly many other books and articles out there that better inform regarding blockchain.  Nevertheless, Gilder explains exactly why blockchain will in the distant future help cause Google to lose its digital stranglehold.  For that, his book largely stands alone.

Gilder has had close access to the elite tech digerati for decades. There is no denying he knows what and who he is talking about. The writing style, however, will not be everyone’s cup of tea.  For example, applying a straw man style, he often builds up only to take down later in the book. This can easily be frustrating.  Also, an imagined meeting with Satoshi Nakamoto – the pseudonymous founder of Bitcoin, can either be considered a highlight of the book or downright hokey based on one’s literary taste.

To Gilder, Google’s downfall largely rests on its giving away free products without fully understanding how this zero-sum system neglects the value and impact of consumer time on Google’s $30 billion dollar Siren Servers – a Jaron Lanier term used to convey the eventual death spiral of a company blinded by its 75,000 server farm.  Gilder reminds:  “Without prices, all that is left to confine consumption is the scarcity of time”.

Interestingly, Jaron Lanier as well as Peter Thiel feature predominately in this book as the existential fodder for much of Gilder’s musings. The true sparkle, however, remains pure Gilder – including his view that Google’s fall is precipitated on the behemoth’s not fully understanding true wealth can only be a product of knowledge and memories.  As Gilder suggests, “wealth is not a thing or a random sequence. It is inextricably rooted in hard won knowledge over extended time.” How he eventually connects the many dots found in the book is worth the read despite the haphazard approach.  And, despite valid style criticisms, given so few are walking down this exact path, Gilder’s trailblazing can only be lauded.

Using pokes and outright direct digs on failed exercises of socialism and a “World Saving” Artificial Intelligence fealty pursued by Elon Musk, Gilder’s libertarian bent expresses a slightly brighter vision where creativity and humanity win out.  He is on to something – just ask Tim Berners-Lee about his startup, Inrupt to get additional perspective on Google.  And, the decentralized web ecosystems exemplified by Blockstack and Hashgraph are certainly aimed at tearing down the current global ecosystems founded by the Tech Lords of Stanford. Ultimately, in futurist Gilder’s vision, individuals win when they can more easily trust and be secure in their interactions.

Those seeking an actual name for the specific Google killer app will be disappointed. Gilder does not reveal which business vision will launch the “killer app” required to actually break the status quo.  Readers are provided with an abstract roadmap lacking in specific directions because no specific killer app has been publicly announced yet and will likely not be released for several years.

Blockchain, Digital Assets, Privacy, Risk Management

AT&T crypto theft case may hasten new insurance exclusions

On August 15, 2018, crypto-enthusiast Michael Terpin filed a 69-page Complaint against AT&T in the Central District of California.  This federal action – a fifteen-count missive from Greenberg Glusker, seeks compensation of $24,000,000 for stolen cryptocurrencies as well as punitive damages in the amount of $200,000,000.  Terpin’s counsel seeks to get around standard contractual limitations and arbitration language by claiming that AT&T violated every possible California consumer statute on the books.

At its essence, the lawsuit alleges AT&T did not “implement and maintain reasonable security procedures and practices” regarding personal information and protect it “from unauthorized access, destruction, use, modification or disclosure” as evidenced by a “January 7, 2018 SIM swap fraud” conducted by a criminal who was able to convince an AT&T store employee to give him Mr. Terpin’s SIM card.  Complaint ¶ 238.

In order to obtain recovery in federal court, Terpin’s counsel will have to get around standard ADR language and damages limitations typically found in mobile carrier agreements.  More than likely, the valiant efforts of Greenberg Glusker will be to no avail – with the eventual result this case will move down the well-traveled road of arbitration without any punitive damages or massive discovery in sight.  The Supreme Court authority for such a result is quite extensive and may be why the Complaint is written in such flowery and emotional prose.

No matter what forum eventually takes on this case, it raises numerous issues that percolate beyond the four corners of the Complaint.  For example, will AT&T’s insurer eventually defend or pay out on this claim?  If so, which coverage grants will be triggered?  And, if there is coverage, will ISO or major insurance carriers develop a standard insurance exclusion to bar cryptocurrency theft claims in the future?   As it moves through the California federal court system, this case will definitely have consequences for corporations well beyond AT&T.

Behavioral Advertising, Privacy, Risk Management, Social Media

EU-US Privacy Shield may soon be suspended


The EU-US Privacy Shield may finally be in actual jeopardy.  It was previously thought that given the high stakes, this data transfer accommodation implemented as a replacement for the judicially invalidated Safe Harbor program was too important an agreement to be withdrawn and that only another judicial ruling could render its death knell.  That is no longer the case.   A vote today by the European Parliament made sure of that.

As reported by the IAPP,  on July 5, 2018 the European Parliament passed a non-binding resolution by a vote of 303 to 223 votes and 29 abstentions to have the European Commission suspend the EU-US Privacy Shield “unless the U.S. is fully compliant” by September 1, 2018.    This is the second September review of the EU-US Privacy Shield.

Between the GDPR requirements left out of the EU-US Privacy Shield, the Cambridge Analytica fiasco that still dogs Facebook, the US’s adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – a statute that expressly allows access to trans-border personal data, the US’s pulling out of the Iran deal despite strong pressure from the EU, and the current tariff barbs being sent across the Atlantic, the long-term health of EU-US Privacy Shield can no longer be considered a given.   Companies who have been reliant on this data transfer accommodation should certainly consider alternatives as soon as possible.

UPDATE:  October 23, 2019

As reported in TechCrunch, the EU-US Privacy Shield has withstood its last review given the appointment of an ombudsperson role but there still remains pending litigation targeting it.

UPDATE:  July 16, 2020

On July 16, 2020, the EU Court of Justice decided “Schrems II” and invalidated the EU Commission’s Decision 2016/1250 regarding the adequacy of the EU-U.S. Privacy Shield (‘the Privacy Shield Decision’).  As described in the Press Release:

[T]he limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.

In rejecting the use of a Privacy Shield Ombudsperson who was independent from the Intelligence Community – the agreed-upon safeguard found in the Privacy Shield Decision, the Court of Justice ruled that such a mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.” 

Behavioral Advertising, Privacy, Risk Management, Social Media

New California law provides statutory damages for data incidents

With the June 28, 2018 signing of The California Consumer Privacy Act of 2018, data breach class counsel are rejoicing that they finally have a private right of action backed with statutory damages.  Even though there were previous statutory remedies for privacy violations, the recent California law has gone where no other law has gone before by expressly providing a private right of action for a data breach that also allows for a minimum statutory amount.  Not surprisingly given it was the first state to pass a breach notification law, the California legislature again led the way.

After certain data incidents involving the loss of consumer data, California consumers will have beginning on January 1, 2020 a private right of action that can also be brought on a class-wide basis.   Specifically, any consumer whose unencrypted or nonredacted personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages.”   Section 1798.150(a)(1).

Despite being groundbreaking, there are still numerous hurdles class counsel must surmount before a class can be certified.  For example, the private right of action may not be allowed unless the compromised information is subject to unauthorized use.  Section 1798.150(a)(1).   Accordingly, those incidents where unauthorized use is not in issue are not subject to the statute.

Moreover, the law can only be used against a business with “gross revenues in excess of twenty-five million dollars ($25,000,000)” or one that purchases personal data on “50,000 or more consumers, households, or devices” or one that “derives 50 percent or more of its annual revenues from selling consumers’ personal information.” Section 1798.140(c).

Curiously, the law allows a business to “cure” its security violation; and thereby avoid suit, but leaves to the imagination exactly how that curing process would play out.   Section 1798.150(b)(1).

And finally, this private right of action can be withdrawn if the California Attorney General files its own suit after being provided notice of a consumer’s lawsuit.  Section 1798.150(b)(3).   The AG’s office has 30 days to decide whether or not to file suit after being provided with the consumer’s lawsuit notice.

Notwithstanding the last-minute changes made to this last-minute statute, it still provides California consumers with the country’s most expansive statutory privacy rights– rights that will be immediately deployed by class counsel after 2020.   Most analysis on this new law, however, has focused on comparing it to the EU’s GDPR privacy regime – a recently implemented privacy regime that impacts many  US-based companies.    In addition to the privacy requirements, companies processing significant amounts of consumer personal data should also take the class action risk very seriously and if they do not already purchase insurance for that risk, they should at least evaluate transferring some of this liability risk by way of the privacy and data security insurance long been available to most any company.

UPDATE:  September 28, 2018

SB211 was signed into law largely to “technically correct” errors in the law but nevertheless made two significant changes to Section 1798.150 when it removed the prior requirement that consumers notify the Attorney General prior to bringing any action for a data breach and removed the prior requirement that the Attorney General could bar consumer plaintiffs from bringing suit.  These two significant changes will certainly make for a very interesting class action year in 2020.

UPDATE:  February 26, 2019

On February 22, 2019, a proposed amendment to the law was proposed that would do away with a cure provision, expand the statutory damages provision to any violation of the law, and limit the role of the Attorney General in policing violations.  If passed, these changes will significantly alter the reach of the law by making the plaintiff’s bar’s arsenal even wider and the law’s penalties that much stronger.

Behavioral Advertising, Privacy

Supreme Court sides with privacy advocates in Carpenter

On June 22, 2018, the United States Supreme Court ruled that obtaining cell-site location information without a probable cause warrant violates the Fourth Amendment despite the fact there were no actual associated property rights in the data.   In writing for the majority, Chief Justice Roberts sided with the liberal wing of the Court and against those Justices looking to affirm the robbery conviction in question.  Justice Gorsuch’s Dissent correctly points out, however, that the “most promising line of argument” available to Carpenter was not well-developed by Carpenter, namely that he had positive property rights in his geo-location data.  Gorsuch, J., Dissent at 21.   Instead, the Majority ruled there was a reasonable expectation of privacy in the data in question despite the lack of any available property rights.

This decision could have been a potential clarion call regarding privacy rights well beyond that found in a Fourth Amendment context.  Instead of confirming the data’s true value – again, as a positive property right, the Majority determined that a third-party’s access and consent to use the data in question did not negate the data’s ability to give rise to a reasonable expectation of privacy – in effect, carefully distinguishing the so-called third party doctrine previously applied by the Court.  In so doing, the Majority carefully parsed precedent on this issue – now giving it a second tier analysis status, rather than outright reject it as apparently sought by Justice Gorsuch in his Dissent.  Gorsuch, J., Dissent at 5 – 8.

Recognizing the contortions taken by the Majority, Justice Alito fairly screamed for Congressional intervention given this perceived affront to existing Fourth Amendment precedent.  Alito, J., Dissent at 27 (“Legislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”).

On April 17, 2018, the Court previously dismissed another matter involving application of the Stored Communications Act and “rapidly changing technology” given Congressional intervention on the issue rendered moot the question before the Court.  Given that the Carpenter Majority’s Constitutional analysis may leave little room for future Congressional intervention, subsequent courts will have to grapple with deciphering the potential import of this decision – a decision with a remarkable four separately written dissents.

For example, what exactly constitutes a “a comprehensive chronicle” of defendant’s past movements or how will heretofore unknown future non-property “privacy rights” give rise to a reasonable expectation of privacy?  Justice Gorsuch was correctly very much concerned about the uncertainty springing from this decision.  See Gorsuch, J., Dissent at 12 (“In the end, our lower court colleagues are left with two amorphous balancing tests, a series of weighty and incommensurable principles to consider in them, and a few illustrative examples that seem little more than the product of judicial intuition.”).

Despite how the Court in Carpenter references location-based tracking as some sort of newfound innovation, location-based tracking has been a percolating privacy issue for more than seven years.  To that end, even though privacy advocates and criminal defense lawyers may very well bask in this decision for years to come, by the Court not clearly ruling how certain privacy rights can give rise to a positive property right under the Fourth Amendment, privacy advocates may have actually lost a more impactive battle they could have won.

More specifically, if the ACLU – on behalf of Mr. Carpenter, had fully argued the more appropriate positive law approach discussed by  Justice Gorsuch we may all be reading a 6-3 decision that found privacy rights in data can indeed give rise to property rights under the Fourth Amendment.  Gorsuch, J., Dissent at 21 (“Before the district court and court of appeals, Mr. Carpenter pursued only a Katz“reasonable expectations” argument. He did not invoke the law of property or any analogies to the common law, either there or in his petition for certiorari. Even in his merits brief before this Court, Mr. Carpenter’s discussion of his positive law rights in cell-site data was cursory. He offered no analysis, for example, of what rights state law might provide him in addition to those supplied by §222. In these circumstances, I cannot help but conclude — reluctantly — that Mr. Carpenter forfeited perhaps his most promising line of argument.”).  For now, privacy advocates will have to be satisfied with the actual ruling before them – one that leaves the door quite open to future expansions of the “reasonable expectation of privacy”.

Electronic Health Records, Privacy, Risk Management

OCR wins $4.3 million HIPAA Victory against MD Anderson

On June 18, 2018, the the Office for Civil Rights (OCR) posted a press release announcing its summary judgment victory against the University of Texas MD Anderson Cancer Center (MD Anderson) – a ruling that will require MD Anderson to pay $4,348,000 in civil money penalties to OCR.   According to the press release, this is only the second HIPAA summary judgment victory in OCR’s history and the $4.3 million is the fourth largest amount ever awarded to OCR for HIPAA violations.

The June 1, 2018 Administrative Law Judge’s decision ultimately hinged on a stolen unencrypted laptop and several lost unencrypted USB thumb drives containing “identifying information such as patient names, addresses, and Social Security numbers; and clinical information such as diagnoses, assessments, prognoses, and treatment regimes” of a total of 33,500 individuals.  Decision at 2.

The hefty fine was based on the fact MD Anderson knew encryption was an essential risk management tool since 2006 yet did not get around to fully deploying encrypted devices until after the losses in question.  According to the ALJ, MD Anderson before then made only “half-hearted and incomplete efforts at encryption”.  Decision at 5.

According to the ALJ:

The question is whether Respondent took the necessary steps to address the risk that it had identified – the potential for data loss due to the storage of ePHI on unencrypted devices. As I have explained, the failure to address that risk is the sum and substance ofRespondent’s noncompliance. Had it done so, then unauthorized acts by Respondent’s employees might be relevant to the issue of compliance. But, failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.

Decision at 14 (emphasis in original).

This latest OCR action may very well be appealed given the jurisdictional arguments made by MD Anderson.  No matter what the final appellate result, however, the ruling should slam the lid on any covered entity ever questioning again whether encryption is worth the cost of deployment.     Whether it is from a state enforcement action or OCR settlements based on vendor negligence, laptops stolen from a car, or a USB thumb drive improperly taken from an IT department, when it comes to encryption an ounce of prevention is definitely worth at least a pound of cure.

Behavioral Advertising, Privacy, Social Media

Facebook and Google face GDPR complaints on day one

Privacy activist Max Schrems is at it again.   Early morning on May 25, 2018, Mr. Schrems’ group – NOYB.eu (none of your business), filed complaints in four EU member countries claiming that the purported GDPR consents now obtained by Facebook and Google are impermissible “forced consents” given they provide nothing more than a take it or leave it proposition for users.  Facebook previously launched a campaign claiming that it was fully on board with GDPR despite the risks entailed in these “pop up consents”.

Max Schrems  should not be underestimated – he single-handedly forced a replacement to the former EU Safe Harbor regime.    The Safe Harbor regime previously governed data transfers between the US and EU but was invalidated on October 6, 2015 in a case brought by Mr. Schrems in the EU Court of Justice.

Mr. Schrems’ most recent actions go at the heart of the current online advertising duopoly and his actions against Facebook and Google should be taken seriously by them given Schrems’ prior successes and the fact he may very well be correct in his assessment of GDPR – a privacy regime that is purposefully ambiguous in the area of consent.

Blockchain, Digital Assets, DLT, Technology Law

Consensus 2018 blockchain event exceeds expectations

After attending the largest early adopter tech conferences conducted over the past thirty years – from Internet World, VR World, COMDEX, CES, RSA, Game Developers Conference, etc., it is easy to say Coindesk’s recent Consensus 2018 Conference – the foundation for NYC’s “Blockchain Week”, was one of the largest gatherings of early technology adopters and backers ever packed in a single location.  Almost beside the point, Consensus 2018 was also easily the largest blockchain event to date.

Despite exceeding pretty much all expectations, it was not, however, without some controversy.  Noticeably absent from the event was Vitalik Buterin as well as any Ethereum presence other than a scheduled announcement and booth presence for the Enterprise Ethereum Alliance.  The visionary Buterin boycotted the event given disagreements with the sponsor and a purported grievance with the  $2,999 price tag  – despite the fact Mr. Buterin himself could have bought tickets for all 8400+ attendees if he wanted.  Buterin’s thought leadership and insights were certainly missed so hopefully next year there will be some sort of peace accord that brings him back into the fold.

According to the emcee for the event – a Brit anxiously pacing up and down with the obligatory iPad seemingly issued to all tech conference emcees, half of the attendees hailed from outside the United States.  In fact, meals and private meetings were enjoyed with folks visiting from South Korea, Australia, Finland, Switzerland, Portugal, Brazil, Berlin, Hong Kong, Vancouver, and Toronto – and that was only on the first of two attendance days.  Unlike what was shown by the early days of the web ecosystem, this gathering more than anything concretely demonstrates that any decentralized ledger future will be shaped by those outside the United States as much as by persons located within its borders.

The caliber of the audience – more so than the speakers, also demonstrates that the financial and professional institutions who missed out on the web ecosystem’s early brick laying are avoiding past mistakes.  Sensing just how disruptive things may soon get, they were out in full force – with Deloitte leading the Big Four charge and the purported naysayer JP Morgan having a sophisticated presence from New York and London.   Notwithstanding the fact the exhibit hall was stacked with ICO and ICO-wannabee companies that will likely go away in a few years, foundational companies were front and center promoting the tools and business models needed before blockchain can be digested by the masses in any meaningful way.

While companies wait to “cross the chasm”, investors are taking sides by investing in token economies and novel ramp up technologies.   And, after the speculative sheen has faded, the lasting result will be efficiencies in commerce one could only have dreamt about a few years ago.    Simply put, the “trust protocol” that will eventually be layered on top of our current digital ecosystem will create new opportunities for pretty much any company willing to listen and adapt.

Litigation Management, Privacy, Risk Management, Social Media

Supreme Court takes Google cy pres fund case

On April 30, 2018, the United States Supreme Court granted certiorari so that it could determine whether a settlement in a privacy class action against Google was “fair, reasonable, and adequate” when the roughly $5 million settlement only went to cy pres recipients rather than actual class members.  Specifically, the Court is to decide:

Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class members must be “fair, reasonable, and adequate.”

As previously recognized, the use of cy pres settlements has been a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to quickly file and resolve class actions before  actual damages can be made readily apparent.  Indeed, attorney generals have objected  to cy pres settlements given the lack of redress available to victims.  Given Justice Roberts prior pronouncement on the topic, it may very well be the case that cy pres funding  – which previously only took place in settlements after plaintiffs were actually compensated, may very well no longer be an acceptable means of quickly ending a privacy class action.