Attorneys Highlight Privacy, Data Security Court Milestones Worthy of a Closer Look

By Katie W. Johnson

Aug. 15 — Courts in the European Union and the U.S. over the summer released a string of privacy and data security rulings that might have significant implications for U.S. and multinational companies, attorneys tell Bloomberg BNA.

The EU's highest court, in a ruling that reverberated throughout the continent and across the Atlantic, held that EU citizens can ask Internet search engines to remove search results linking to sites containing their personal information. Questions remain as to whether this right to be forgotten will threaten other intellectual rights and business endeavors.

The U.S. Supreme Court in separate June decisions concluded that law enforcement generally must obtain a warrant before searching a mobile phone seized from an arrestee and invalidated several National Labor Relations Board recess appointments in a move that left the board's workplace social media rulings open to possible challenges.

A federal circuit court is poised to address—for the first time—the Federal Trade Commission's authority to enforce companies' data security obligations.

And one U.S. district court ruled on the federal government's ability to compel Microsoft Corp. to produce data stored on its servers in Ireland, while another preliminarily approved two landmark settlements under the Telephone Consumer Protection Act.

EU Right to Be Forgotten Ruling

In the highest profile privacy and data security ruling from the past few months, the European Court of Justice in May ruled that data subjects in the European Union have the right to compel Google Inc. and other Internet search engines to remove search results linking to websites containing personal information about them (Google Spain SL v. Agencia Espanola de Proteccion de Datos, No. C-131/12 (E.C.J. May 13, 2014)).

The ECJ's decision “could put the EU data protection regime on a collision course with intellectual freedom,” Edward McNicholas, a partner at Sidley Austin LLP in Washington, told Bloomberg BNA.

“It remains to be seen whether the ruling is implemented in a thoughtful way that respects both the right to be forgotten and what I call ‘the right to remember,' ” McNicholas, who is a member of the Privacy & Security Law Report's advisory board, said. “At some point, the social and personal interest in the freedom of expression and the freedom of speech—and in historical accuracy—must be celebrated as well.”

“If this right to be forgotten only expands, it could harm any number of worthy endeavors from medical testing data sets to the financial system's need to know whether individuals have a demonstrated long-term record of paying their debts,” he said.

McNicholas said he hopes that this right will become more akin to rights allowing legal proceedings to be sealed.

“Indeed, the U.S. approach to credit reports—which allows for even bankruptcies to leave credit reports after seven or ten years—may be a model for balancing the need for historical records and the desire to allow people to reinvent themselves,” he said.

Mobile Phone Searches at Work

In the U.S., a court ruling on mobile device privacy might have implications outside of the criminal context. In June, the U.S. Supreme Court held that the Fourth Amendment doesn't allow a warrantless search of a mobile phone seized from an arrestee (Riley v. California, 134 S. Ct. 2473 (2014)).

Riley emphasized the “weighty” privacy interest of the owner of a smartphone, Philip L. Gordon, shareholder and chair of the Privacy and Data Protection Practice Group at Littler Mendelson PC in Denver, told Bloomberg BNA.

As a result, the court's opinion will likely affect internal investigations that require employers to access information on employees' personal mobile devices, he said.

In light of Riley, employers conducting such an investigation should “define the objective of the investigation” and then “limit the scope of the search to what is needed to meet that objective,” Gordon, who is a member of the Privacy & Security Law Report's advisory board, said.

An important part of bring your own device (BYOD) programs, where employers allow employees to use personal mobile devices to conduct the employer's business, is “to obtain the employee's consent up front for access to the employee's personal device,” Gordon added. Riley “simply emphasizes or highlights” consent as “an element of a BYOD program,” he said.

Riley may also have an impact in the electronic discovery context, according to Gordon. He said it “will generally be more challenging for a party seeking access to information on a respondent's personal mobile device to persuade a court to permit that access.”

FTC Data Security Case on Appeal

The decision by the U.S. Court of Appeals for the Third Circuit to review a ruling in the FTC's data security enforcement action against the Wyndham hotel chain “is a very significant development for data security regulation,” Jeff Kosseff, an associate in Covington & Burling LLP's Washington office, told Bloomberg BNA.

“The Third Circuit will be the first appellate court to rule on the scope of the FTC's authority to regulate data security under Section 5 of the FTC Act,” he explained.

In July, the Third Circuit granted a petition by Wyndham Hotels and Resorts LLC for an interlocutory appeal of portions of a district court opinion refusing to dismiss the FTC's enforcement action against it (FTC v. Wyndham Worldwide Corp., No. 14-8091, 2014 BL 216045 (3d Cir. July 29, 2014)).

“The Third Circuit's decision to grant interlocutory review presents more potential risks than benefits for the FTC,” Kosseff said.

“Because most companies settle FTC data security complaints rather than litigate them in court, a Third Circuit victory for the FTC would merely maintain the status quo,” he said. “But an FTC loss in the Third Circuit would severely undercut the agency's ability to bring data security complaints under Section 5.”

Wyndham's brief in the Third Circuit case (No. 14-03514) is due Oct. 6, according to the court's docket.

Production of Data Stored Overseas

A recent federal district court decision involving Microsoft raised the question of what law applies to data stored in the cloud, Susan Linda Ross, senior counsel at Fulbright & Jaworski LLP in New York, told Bloomberg BNA.

In July, the U.S. District Court for the Southern District of New York ruled that Microsoft must turn over the e-mails of an unidentified customer stored in a data center in Ireland in response to a U.S. government search warrant (In re Microsoft Corp., No. 1:13-mj-02814 (S.D.N.Y. July 31, 2014)).

The court, ruling from the bench, upheld a decision by a federal magistrate judge.

Looking to Congress's intent under the Stored Communications Act, 18 U.S.C. §§ 2701–2712, the court said that Internet service providers must “produce information under their control” even if that information is stored abroad.

In light of the Microsoft decision, organizations using cloud services should structure their cloud, e-mail and information technology contracts to specify the countries or regions to which the data cannot go, Ross said.

The tendency of U.S. courts and regulators to find that data stored in other countries, especially data stored in the cloud, is producible in the U.S. is “a common problem that we see all the time now with respect to civil litigation and government investigations,” David Kessler, who is a partner at Fulbright's New York office, told Bloomberg BNA.

Ross and Kessler also pointed out that U.S. decisions like Microsoft have raised concerns in the European Union, which might find that orders to disclose data stored in the EU to a party in the U.S. violate EU law.

“We're seeing a lot of tension,” Kessler said, “because there isn't a great path forward.”

At Microsoft's request, the court Sept. 8 held the company in contempt for failing to comply fully with the warrant, allowing the company to immediately appeal its July 31 ruling.

High Dollar TCPA Settlements

Companies should pay attention to the size of two major settlements under the TCPA, 47 U.S.C. § 227, and “also should take note of the conduct involved in these lawsuits and assess their communication practices and risks,” Melissa Krasnow, a partner at Dorsey & Whitney LLP in Minneapolis, told Bloomberg BNA.

She pointed a “record-breaking” proposed $75 million settlement with Capital One.

In July, the U.S. District Court for the Northern District of Illinois preliminarily approved a $75 million proposed settlement resolving claims that the company made debt collection calls to consumers' mobile devices without their consent in violation of the TCPA (In re Capital One Tel. Consumer Prot. Act Litig., No. 1:12-cv-10064, 2014 BL 217066 (N.D. Ill. July 29, 2014)).

At the time the proposed Capital One settlement was filed, the plaintiffs said the settlement was the “largest settlement cash sum—by far—in the 22-year history of the TCPA.”

The following month, the same court preliminarily approved a $34 million proposed settlement pact resolving class allegations that Chase Bank USA NA called and sent text messages and voice alerts to consumers' mobile phones without their consent in violation of the TCPA (Gehrich v. Chase Bank USA, N.A., No. 1:12-cv-05510 (N.D. Ill. Aug. 12, 2014)).

NLRB Social Media Rulings Vulnerable?

A June ruling by the U.S. Supreme Court called into question the validity of NLRB rulings on the use of social media in the workplace.

The court concluded unanimously that President Barack Obama lacked the authority to make recess appointments to the NLRB in January 2012 because he acted when the Senate was holding pro forma sessions and wasn't legally in a “recess” (NLRB v. Noel Canning, 134 S. Ct. 2550 (2014)).

But Noel Canning probably won't have much of an impact in the long term, Maury Baskin, a shareholder at Littler Mendelson PC in Washington, told Bloomberg BNA. The NLRB “has recently issued new rulings that again prohibit social media-related discipline, notwithstanding Noel Canning's nullification of the earlier decisions of the ‘recess' Board,” he said.

For example, the NLRB Aug. 22 found that a sports bar and restaurant violated the National Labor Relations Act, 29 U.S.C. § 158, by firing employees who questioned and criticized the bar's handling of payroll tax withholding during an online Facebook discussion (Three D, LLC, 361 NLRB No. 31 (Aug. 22, 2014)).

The takeaway for employers is that they “should not expect the labor board to go away or change course,” Baskin said.

To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com