Learn more about Peltz-Steele v. UMass Faculty Federation at Court Listener (complaint) and the Liberty Justice Center. The case is now on appeal in the First Circuit as no. 22-1466 (PACER paywall). Please direct media inquiries to Kristen Williamson.
Showing posts with label Boston Bar Association. Show all posts
Showing posts with label Boston Bar Association. Show all posts

Friday, September 25, 2020

Boston Bar panel surveys landscape of privacy law, data protection policy, class action litigation

Attorneys Melanie Conroy, Marjan Hajibandeh, and Matthew M.K. Stein
We had great fun yesterday, as lawyer fun goes, talking about privacy law in the United States, from the impact of the Privacy Shield collapse to the latest litigation under California's groundbreaking consumer privacy protection law.  I was privileged to appear in a Boston Bar Association program on privacy class action litigation, led by attorney Melanie A. Conroy, CIPP/US, of Pierce Atwood LLP, alongside practicing-attorney panelists Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh of CarGurus, Inc. 

Our topical reach was a breathless sprint across a dramatic landscape.  We opened with our respective thoughts on developments in privacy law, Conroy observing that the fast-paced field has undergone seismic shifts again and again in recent years, from the implementation of the California Consumer Privacy Act (CCPA) to the $18m Equifax data breach settlement in Massachusetts.

I spoke to the impact of the European Court of Justice decision ("Schrems II" (ECJ July 16, 2020)) invalidating the U.S.-EU Privacy Shield as a motivator for U.S. reform.  Besides the significance of the case in Europe and our foreign relations, the decision signals that a quarter century after adoption of the first European Data Protection Directive, Europe's patience with American recalcitrance has finally run out.

Julie Brill (MS CC) and William Kovacic
Former Federal Trade Commissioner Julie Brill told the Senate Commerce Committee this week that in two years, 65% of the world will be living under data protection laws, most of them modeled after the EU General Data Protection Regulation (GDPR).  As former Federal Trade Commission (FTC) Chairman William Kovacic put it, if we don't pass legislation in the United States, "we will get a national privacy policy: the GDPR."  As I tweeted this week, hearing testimony drove the usually cool and collected Senator Maria Cantwell (D-Wash.) to exclaim, "My God, this is clear, we need a strong privacy law." And Americans are ready; Brill said that nine out of ten Americans now believe that privacy is a human right.

Sen. Cantwell
Our panel ran down the latest developments in class action privacy litigation, loosely divided on the fronts of biometric data class actions, mostly arising under Illinois's pioneering Biometric Information Privacy Act; CCPA-related class actions in California; and data breach litigation.  I ran down cases in the latter vein and talked some about the present circuit split over Article III standing.  Federal courts have divided over whether "theft alone" can constitute concrete injury for constitutionally minimal standing, or plaintiffs must show some subsequent misuse of their data.  This issue is not limited to the data breach area, but has implications across a wide range of statutory enforcement systems, including the Fair Credit Reporting Act.

For my part, I predict that our dawning, if belated, understanding of the monetary value of personally identifiable information (PII) will lead us to the inevitable conclusion that theft alone suffices.  This is evidenced, for example, in Hogan v. NBCUniversal (D.R.I. filed Aug. 27, 2020), over the sale of Golf Channel subscriber identities, which subsequently were associated with other PII and resold.  Though for the time being, my favored conclusion is arguably not the inclination evidenced in the U.S. Supreme Court in Spokeo, Inc. v. Robins, in 2016.  Senator Dick Blumenthal (D.-Conn.) mentioned this week, apropos of current events, that Justice Ginbsburg, joined by Justice Sotomayor, dissented in Spokeo on just this point.

The late Justice Ginsburg; Sen. Blumenthal
Our next panel focus was developments in the First Circuit and Massachusetts.  In Massachusetts Superior Court in Boston, data breach litigation, filed in May 2019, against Massachusetts General Hospital, Brigham & Women's Hospital, and the Dana-Farber Cancer Institute, over online patient-service communications occurring outside secure portals, raises the very question of concrete harm, which may be resolved differently at the state level than under the federal Constitution.  Meanwhile in federal court, the same issue in data breach litigation, filed in March 2020, in Hartigan v. Macy's, highlights the lack of First Circuit precedent on the question since Spokeo, while citing strong pre-Spokeo indications that the First Circuit would favor the misuse-required position.

In parting observations, I offered that we have a long road ahead.  Of all the bills pending in Congress (see EPIC's excellent April report), only some propose a private cause of action and none attacks the problem of government surveillance, both purported prerequisites to European restoration of authorized trans-Atlantic data flow.  Within the U.S Congress, there appears to be bipartisan support for some kind of nationwide privacy legislation.  But the questions of private or FTC enforcement, and whether preemption would mean a legislative floor or ceiling remain sticking points that could derail the process.

Monday, September 14, 2020

Boston Bar webinar will probe privacy law latest

Coming soon, the Boston Bar Association will host a webinar on data privacy class action litigation (and related privacy stuff too).  I'm trying to get up to speed on all of the latest developments so that I will not disappoint moderator Melanie A. Conroy, attorney and CIPP/US, of Pierce Atwood LLP, who graciously if foolhardily invited me to participate.  For The National Law Review in April, Conroy wrote the authoritative rundown on the Mount Ida student class action, which treatment inspired me to write about the case for The Savory Tort.

My task is daunting; a lot happened while I was in Africa early in the year and out of the office over the summer.  Our subject matter includes the new regulations under the California Consumer Privacy Act, burgeoning lawsuits under the Illinois Biometric Information Privacy Act, and the shock waves just now hitting the United States from the "Schrems II" decision in the European Court of Justice.  (Brush-with-greatness note: Max Schrems has been in my car.  Long story.)  That's just to get the ball rolling.

Co-panelists are Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh, of CarGurus, Inc.  Here are the program details from the BBA:

BBA Webinar: Roundtable on Recent Developments in Data Privacy Class Action Litigation
Thursday, September 24, 2020, 10:00 to 11:00 a.m.
This webinar will explore the growing prevalence of data privacy class actions through recent developments in data privacy legislation, expanded private rights of action, biometric privacy claims, consumer data suits, post-breach and cybersecurity litigation, and the increasingly complex landscape of rulings by federal courts of appeals. The presenters will discuss national trends and developments within the First Circuit and in Massachusetts. The discussion will look ahead to areas to watch and trends that may shape the development of data privacy class actions in the coming months and years.

The program is free for BBA members and $100 for non-members. Registration at least two hours before the program-start is essential to receive the Zoom link.