UK Supreme Court Grants Google Permission to Appeal Class Action Claim in Lloyd vs Google LLC
The Supreme Court has recently granted Google permission to appeal the Court of Appeal’s decision in the case of Lloyd v Google LLC ([2019]) EWCA Civ 1599). The class action brought against Google by Richard Lloyd, the former editor of consumer protection rights group “Which?”, relates to the alleged tracking of personal data by Google of 4.4 million iPhone users and subsequent selling of the users’ data to advertisers, without the users’ knowledge and consent. Google is now appealing the Court of Appeal’s decision granting Mr Lloyd permission to serve his representative action on Google. This landmark case is of particular importance as it has the potential to significantly widen the scope for claims to be brought in respect of a failure to protect data under the GDPR.
Schrems II – Live Reaction to the Key Landmark Decision on the Future of International Data Transfers
Join Us for Post-Decision Coverage of the Schrems II Case
On July 16, the Court of Justice of the European Union will release its much anticipated decision in the Schrems II case, evaluating the validity of key data transfer mechanisms, including Standard Contractual Clauses. The decision could impact the future of international data flows and your business.
We will host an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact and what the future may hold.
Two Rulings in Two Weeks on the TCPA’s Autodialer Restrictions
The last two weeks have brought two important (although unrelated) rulings on the TCPA’s Autodialer Restrictions. First, on June 25, the Federal Communications Commission limited the applicability of the autodialer restrictions in the Telephone Consumer Protection Act, 47 U.S.C. § 227 (the “TCPA”), to an emerging texting technology. Second, less than two weeks later, the Supreme Court ruled that an exception to the TCPA’s autodialer restrictions for calls to collect federal debts was unconstitutional and expanded the statute’s reach.
French Council of State Upholds €50m CNIL Fine against Google
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision upholding the €50 Million fine imposed against Google LLC by the French Supervisory Authority (the “CNIL”). On January 21, 2019, the French CNIL had issued a fine against Google’s U.S. headquarters for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. Please refer to the relevant Sidley Data Matters’ blog post on the CNIL decision here. The CNIL found that Google had insufficiently informed Android users about their data processing activities, given the complexity of Google’s privacy policy and terms & conditions, and that the consent obtained from them through the use of pre-ticked boxes was insufficient to serve as a legal basis for processing used for targeted advertising. This was the first and highest regulatory fine the CNIL had issued on the basis of the GDPR.
UK Supreme Court Rules Morrisons Not Vicariously Liable for Malicious Data Breach by Employee
Case: WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12
In a decision that employers will welcome, the UK Supreme Court recently ruled that Morrison Supermarkets (Morrisons) was not vicariously liable for a data breach committed maliciously by a former employee who, acting to satisfy a personal vendetta against Morrisons, disclosed employee payroll data online.
CJEU Considers the Use of CCTV and Legitimate Interests
With the use of CCTV on the rise, it has become increasingly important for controllers to find a framework in which the conflicting rights of those who are subject to such surveillance are balanced. In its recent decision of TK v Asociaţia de Proprietari bloc M5A-ScaraA EU:C:2019:1064 (TK), the CJEU considered whether the processing carried out by CCTV cameras was necessary and proportionate for the purposes of legitimate interests pursued by the controller.
Highest European Court Confirms: No Presumption of Confidentiality Over Documents Submitted in Marketing Authorization Dossier
On January 22, 2020, the Court of Justice of the European Union (CJEU) found that there is not a general presumption of confidentiality over documents containing clinical and preclinical data provided to the European Medicines Agency (EMA) to support a marketing authorization application. However, the CJEU indicated that certain information may be protected if the interested party can specifically show that the disclosure will cause it harm. This is the first time the CJEU has ruled on this matter, upholding the EMA’s approach to handling access to documents requests.
The Sixth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Available
The sixth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law. (more…)
In an Eagerly Anticipated Decision, the Ninth Circuit Sides With Web Scrapers
For years, companies seeking to block web scrapers from collecting the information on their website would invoke the Computer Fraud and Abuse Act (CFAA), a U.S. law that criminalizes accessing a computer “without authorization.” But the U.S. Court of Appeals for the Ninth Circuit has now ruled that merely instructing scrapers that they are not welcome on a public website, either through a restrictive terms of use or a cease-and-desist letter, is probably not enough to render their access “unauthorized” under the CFAA. This decision is encouraging news for the many hedge funds, academic researchers and other data aggregators that use software bots to compile information online.
11th Circuit Rules Single Text Message Not Sufficient for Article III Standing
Creating a circuit split, the U.S. Court of Appeals for the Eleventh Circuit has held that receiving a single unwanted text message is not enough to confer standing, even if the text violated the federal Telephone Consumer Protection Act (TCPA). The court disagreed with a Ninth Circuit ruling that reached the opposite conclusion in 2017. In so doing, it gave new life to an argument defendants may use to fend off class actions under the TCPA.