District Court Finds Communications Decency Act Provides Automotive Device Manufacturer Immunity for Clean Air Act Violations
On March 28, 2024, in US v. EZ Lynk, the U.S. District Court for the Southern District of New York dismissed the Department of Justice’s (DOJ) claim that an automotive device manufacturer violated Section 203 of the Clean Air Act (CAA), holding that Section 230 of the Communications Decency Act (CDA) provided complete immunity from CAA liability for the sale of certain aftermarket automotive devices. This decision of first impression offers an important precedent in the automotive industry and beyond. The decision gives effect to the CDA as drafted and will make it significantly harder for the government to hold manufacturers and online retailers liable for content, including software, created and sold by third parties.
Cybersecurity Takeaways From White House Tech Report
On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.
Trend Watch 2024: Hot Topics in California Regulation and Litigation
Join our 7th annual Trend Watch webinar to learn how tactical decision-making can help you conquer California’s challenging legal environment. Our focus areas will include:
- New developments in California privacy law
- Prop. 65 by the numbers
- Need-to-know environmental law changes
In a Win for Defendants, Illinois Supreme Court Holds That Health Care Exemption Under BIPA Is Not Limited to Patients’ Biometric Information
For the third time in 2023, the Illinois Supreme Court addressed the scope of the Illinois Biometric Information Privacy Act (BIPA) — this time in Mosby v. Ingalls Memorial Hospital. In a unanimous decision, the court held that BIPA’s “health care exemption” is not limited to patients’ biometric information (such as fingerprint scans), but also extends to biometric information collected, used, or stored for healthcare treatment, payment, or operations — regardless of its source.1 This decision also marks the Illinois Supreme Court’s first BIPA-related decision where it adopted the defendants’ proposed interpretation of the statute. (more…)
EU Commission Adopts New Rules for GDPR Enforcement: the Beginning of a Centralized Enforcement Model?
On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action
On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.
Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims
For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1
Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years
Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1
Uber Data Breach Results in Corporate Cooperation and Executive Conviction
On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.