Much ink has been spilled over the Executive Order Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”) signed by President Biden in early October.  The Executive Order is supposed to establish the United States’ commitments reflected in the March 25, 2022 joint EU-U.S. announcement of the Trans-Atlantic Data Privacy Framework (the “Framework”).  While the Framework is described as an “agreement in principle” to facilitate cross-border transfer of personal data, the Executive Order is supposed to go further, toward actually implementing the promised protective measures.  But does it?
Continue Reading Does the Latest Move in Trans-Atlantic Privacy Really Change the Game?

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:Continue Reading UK-US Data Transfers Post Brexit

Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.
Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

Bell and gavel

One of the best ways for companies facing media and privacy risk to protect themselves from expensive class action litigation is by including an arbitration provision in the applicable terms and conditions. While it’s not always clear at the outset of litigation whether the plaintiff agreed to the terms, companies often have to invoke arbitration quickly out of fear that they will be found to have waived arbitration. But in its coming term, the U.S. Supreme Court is now poised to address the critical point of whether prejudice to the plaintiff is a necessary element for a finding of waiver.
Continue Reading Supreme Court to address role of “prejudice” in evaluating waiver of arbitrability

Phone and gavelThanks to the Supreme Court’s decision in Facebook v. Duguid, 141 S. Ct. 1163 (2021), 2021 will go down as one of the most significant years in the history of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  And while the second half of 2021 did not produce the fireworks that we saw earlier in the year, there are still some cases worthy of note as we enter the new year.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2021 came in like a lion, and went out more like a lamb for TCPA law (TCPA Case Update Vol. 16)

FingerprintIn the aftermath of two recent appellate court decisions addressing when claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) accrue, it appears likely that the Illinois Supreme Court will need to provide clarity on this critical question. First, the Appellate Court of Illinois, First District, found in Watson v. Legacy Healthcare Financial Services, LLC, et al.  that claims under sections 15(a) and (b) of the Act accrue with each and every capture and use of a plaintiff’s biometric identifier or information. Second, in Cothron v. White Castle System, Inc. the Seventh Circuit Court of Appeals declined to directly address the issue of when a claim under BIPA accrues, and instead has certified the question for review by the Illinois Supreme Court. While the holding in Watson provides some clarity as to when certain BIPA claims accrue, it leaves open critical questions regarding how to calculate: (i) the number of BIPA violations; and (ii) monetary damages under the Act.
Continue Reading Two Recent Developments Promise to Shed Light on Accrual of BIPA Claims

Phone and gavelThe first half of 2021 saw one of the most significant TCPA rulings in many years as Facebook v. Duguid, 141 S. Ct. 1163 (2021), appeared to settle the long-debated question of what constitutes an automatic telephone dialing system (“ATDS”).  But while the Supreme Court’s April ruling was extremely positive for the TCPA defense bar, it by no means brought an end to TCPA claims.  Significant cases have continued to yield decisions, including cases that have sought to interpret Facebook.  And the state of Florida stepped into the abyss in passing a “mini-TCPA” statute that went into effect earlier this month that regulates telemarketing at the state level, with a much broader definition of the relevant technology.  Thus, the TCPA (and related statute) litigation landscape, while upended to some degree, remains unsettled, and we’ll continue to provide our insights.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: TCPA cases in a post-Facebook world (TCPA Case Update Vol. 15)

The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose

Business man on laptopThanks to statutory amendments and regulatory changes, compliance with the California Consumer Privacy Act (“CCPA”) continues to be a moving target. As Vedder Price previously reported, the CCPA, effective January 1, 2020, gave consumers new tools and rights for protecting their data privacy.  In October 2020, the California Attorney General (“AG”) approved the “final” set of regulations interpreting the requirements of the CCPA, discussed here. Then in December 2020, the AG proposed some modifications to the regulations in response to comments about the previous set of proposed CCPA modifications.

Recently, on March 15, 2021, the AG announced that the Office of Administrative Law approved the AG’s proposed changes to the CCPA regulations. These newly approved regulations strengthen the language of the CCPA by making three changes relating to the right to opt out of sales and one change to authorized agent requests. Thus, companies that are focused on CCPA compliance should review these regulations with fresh eyes to make sure they are still compliant.Continue Reading CCPA Regulations Version 2.0 – Are you STILL compliant?

The European Union’s General Data Protection Regulation (“GDPR”) is well known as the toughest privacy and security law in the world, as it has a wide reach and imposes heavy fines against those who violate its privacy and security standards (which are quite broad). The impact of the GDPR has already been felt in the United States since it went into effect in 2018, and now U.S. lawmakers in numerous states are moving to enact similar legislations. The California Consumer Protection Act (“CCPA”) was the first instance of the GDPR’s impact in the United States, as California put in place a statute and regulations that mirrored the GDPR in several respects. Now Virginia has set in motion what could be a year-long string of states enacting similar legislation. In particular, Washington and New York have proposed legislation following the framework of the CCPA. This article will compare the CCPA to the newly enacted and proposed privacy laws in the United States.
Continue Reading GDPR in the USA? New State Legislation Is Making This Closer to Reality