Privacy World has been talking about the importance of data inventories for years. Why? Because it is next to impossible to build a compliant privacy and data security program without first doing a data inventory. A data inventory will serve as a roadmap to help a company meet various privacy and security compliance milestones. Yet, completing a data inventory is one of the hardest and most daunting parts to building a privacy program. At least it was for Katy when she was in-house as a Global Data Protection Officer. The alternative to proactively creating a data inventory is trying to hastily create one during the middle of an incident response or responding to a regulatory demand, which Katy and Shea have seen numerous times helping clients during a crisis. Indeed, building a data inventory during a time of turmoil is the worst time to confirm a company’s data processing practices, and we want to help you avoid this worst-case scenario as you work to build out your 2023 privacy and data security compliance action plan. Continue Reading Kick Start Your Data Inventory Project in 7-Steps
2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others. This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar. Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.
The IAPP has gathered predictions from privacy professionals in 56 nations across six continents in their publication 2023 Global Legislative Predictions. Charles Helleputte and Diletta De Cicco provide their predictions for Belgium. Continue Reading 2023 Global Legislative Predictions – Belgium
The California Privacy Protection Agency Board (“Board”) announced it will hold a public meeting on February 3, 2023. The posted meeting agenda shows the potential for rulemaking activity during the Board’s first meeting of 2023. Specifically, the agenda items include: “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California” and “Preliminary Rulemaking Activities for New Rules on Risk Assessments, Cybersecurity Audits, and Automated Decision-Making.” The full agenda is available here. Continue Reading Potential Rulemaking on the Horizon: CPPA Board Announces February Public Meeting
The Supreme Court today dismissed as “improvidently granted” a case involving an unnamed law firm seeking to prevent the U.S. government from accessing the records of a client accused of violating tax laws. The law firm had previously asserted that the documents at issue were protected under attorney-client privilege. In re Grand Jury, Dkt. No. 21-1397. The case presented the issue of whether a communication involving both legal and non-legal advice is protected by attorney-client privilege when obtaining or providing legal advice was one of the significant purposes behind the communication.
Almost all cases reach the U.S. Supreme Court’s merits docket through discretionary grants of writs of certiorari. In this case, in a one sentence per curiam decision, the Court noted merely that “[t]he writ of certiorari is dismissed as improvidently granted,” without further elaboration. This meant that, in the judgment of the Court, certiorari should not have been granted in the first instance. A dismissal of a writ as improvidently granted (“DIG”) is rarely issued. This is notwithstanding that going back to hearings in Congress for the Judges’ Bill, Justice Willis Van Devanter in 1925 mentioned that under certain limited circumstances (for instance, facts coming to the Justice’s attention after certiorari was granted), the Court would DIG the case.
Here, the dismissal is significant for other data breach and cybersecurity cases. The Supreme Court’s dismissal leaves intact the prior ruling of the Ninth Circuit from September 2021. 13 F.4th 710 (9th Cir. 2021). There, the grand jury issued subpoenas related to a criminal investigation. The district court held a law firm and its client (an unnamed company) in contempt after they failed to comply with the subpoenas. The district court had ordered the law firm to produce documents to the government after redacting tax-related legal advice. The district court ruled that certain dual-purpose communications between the law firm and its client were not privileged because the “primary purpose” of the documents was to obtain tax advice, not legal advice. Before the Ninth Circuit, the law firm and its client (collectively, “appellants”) argued that the district court erred in relying on the “primary purpose” test and should have instead relied on a broader “because of” test. The Ninth Circuit, however, affirmed and concluded that the primary-purpose test governs in assessing assertions of attorney-client privilege for dual-purpose communications.
Had the Supreme Court addressed the substantive issues presented in the case, there was the potential for it to resolve what some had described as a muti-circuit split concerning the way that federal courts assess privilege claims for dual-purpose communications, although some are now calling that categorization of circuit precedent overly broad. Regardless, this is an issue that can frequently arise in the context of an investigation launched in response to a data incident, which Privacy World’s Kristin Bryan and others have previously covered). Instead, the Ninth Circuit’s ruling will stand—meaning that corporate entities may have the unintended consequence from the ruling in incurring greater costs for obtaining legal advice in nuanced situations (including potentially ones related to data privacy). Consistent with this assessment, the U.S. Chamber of Commerce had filed an amicus brief in the In re Grand Jury case, emphasizing that the Ninth Circuit’s test will cause businesses to engage in more “siloed” communications with their counsel or alternatively seek more advice from outside counsel.
For more, stay tuned. Privacy World will be there to keep you in the loop.
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Last week, a federal court in California dismissed a complaint concerning allegations that Otonomo, a data broker that partnered with car manufacturers, “used electronic devices in [drivers’] cars to send real-time GPS location data directly to [defendant],” allowing Otonomo to track drivers’ location in real-time. Read on to learn more about what this means for limiting CIPA litigation exposure for geolocation tracking going forward.
Plaintiff in the case was a resident of California who alleged that her data was being “tracked and exploited by Otonomo.” The core allegations in the Complaint concern Plaintiff’s contention that Otonomo “is a data broker that secretly collects and sells real-time GPS location information from more than 50 million cars throughout the world, including from tens of thousands in California.” More specifically, Plaintiff asserted that Otonomo collaborates with its clients, who are automobile manufacturers that install electronic devices in the vehicles they manufacture. Plaintiff alleged that Otonomo partnered with car manufacturers “to use electronic devices in their cars to send real-time GPS location data directly to Otonomo through a secret ‘always on’ cellular data connection.”
Plaintiff asserted that “[b]y secretly tracking the locations of consumers in their cars, Otonomo has violated and continues to violate the California Invasion of Privacy Act (‘CIPA’), which specifically prohibits the use of an “electronic tracking device to determine the location or movement of a person” without consent.” The Complaint pled a single claim under CIPA for violation of Section 637.7. Plaintiff sought to represent a putative class comprised of “[a]ll California residents who own or lease a vehicle and whose GPS data has been collected by Otonomo”.
By way of reference, Section 637.7 provides that:
(a) No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person.
(b) This section shall not apply when the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.
(c) This section shall not apply to the lawful use of an electronic tracking device by a law enforcement agency.
(d) As used in this section, “electronic tracking device” means any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals.
Cal. Penal Code § 637.7 (West 2022). CIPA is a heavily litigated statute that has been relied upon recently by plaintiffs in privacy class actions involving a number of recent tracking-related claims and technologies. However, Plaintiff’s application of CIPA Section 637.7 to a built-in component of a vehicle (as opposed to a standalone device) was one of first impression.
Otonomo moved to dismiss the Complaint, raising three purported fundamental deficiencies with Plaintiff’s claim. First, Plaintiff did not allege an “electronic tracking device” “attached to” his car as the terms are used in CIPA. Second, Plaintiff did not allege that Otonomo “determine[s] the location or movement of” Plaintiff. And finally, Plaintiff did not allege that he did not consent to be tracked. The Court found Otonomo’s arguments persuasive, dismissing the Complaint with prejudice.
In regard to Otonomo’s first argument, violation of CIPA Section 637.7 requires that the location or movement of a person be determined by an “electronic tracking device.” Cal. Penal Code § 637.7(a). Additionally, an “electronic tracking device” is defined as a device “attached to a vehicle . . . that reveals its location or movement.” Cal. Penal Code § 637.7(d). The Court took notice of other CIPA precedent which examined the statue’s legislative history to find that “the statute governs electronic tracking devices placed on vehicles or other movable things.” As such, the Court ruled, “that the ‘device’ must be a separate device that is attached, or placed, onto an automobile by the alleged wrongdoer.” On this basis, Plaintiff’s CIPA claim had to be dismissed. The Court observed that this result was consistent with concessions made by Plaintiff’s counsel at oral argument, which included that the device at issue “is a component part of Plaintiff’s vehicle that is not removable by Plaintiff, nor was the Plaintiff able to obtain his vehicle without [it].”
The Court was also persuaded by Otonomo’s argument that, at most, Otonomo merely received data about the location of vehicles. This was insufficient under Section 637.7 of CIPA which prohibits the use of “an electronic tracking device to determine the location or movement of a person.” Cal Penal Code § 637.7(a). This was because, the Court explained, “[t]he wording of the statute explicitly prohibits tracking the location or movement of a person, not a vehicle.” In this instance, the complaint was devoid of allegations that Otonomo obtained personal information of the drivers of these vehicles. Furthermore, Plaintiff did not allege that Otonomo received Plaintiff’s personal information from manufacturers, that would possess this information. On this basis as well Plaintiff’s claim independently failed.
Finally, the Court also adopted Otonomo’s argument regarding Paintiff’s failure to allege that he did not consent to the device installed in his car being used to track him. Notably, Section 637.7 is not violated “when the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.” Cal. Penal Code § 637.7(b).
In this case, the Complaint did not include an allegation that Plaintiff did not consent to being tracked by his vehicle’s manufacturer. This was a fundamental deficiency also requiring the Complaint’s dismiss because CIPA Section 637.7 “is not violated if any consent is given to the vehicle being tracked,” (emphasis supplied). This required that, in order to plead a cognizable claim, Plaintiff had to allege the lack of consent with respect to both Otonomo and his vehicle manufacturer—which he did not. In so ruling, the Court dismissed Plaintiff’s contention that consent did not need to be pled, as it was an affirmative defense, ruling instead that consent was “an element of the statute.”
Because the Court found that Plaintiff could not plausibly allege other facts that the device at issue was an electronic tracking device within the meaning of CIPA, Plaintiff’s claim was dismissed with prejudice. Had Plaintiff’s interpretation of CIPA been adopted by the Court in this case, it would have dramatically expanded the scope of the statute. Additionally, it could have also potentially limited the services provided to drivers on a daily basis due to perceived litigation risk.
As Otonomo’s motion pointed out, “Otonomo’s receiving vehicle GPS data through its contracts with car manufacturers and fleet managers. . .[was] used for things like roadside assistance, emergency location, vehicle theft protection, real-time weather and hazard notifications, and traffic flow management.” At bottom, Plaintiff in this case sought to create liability under CIPA for any entity that receives GPS data from car manufacturers derived from features the car manufacturers themselves built into the vehicles. The Court was prudent in this case to reject such an expansion of CIPA. It remains to be seen, however, how similar claims brought in future filed cases are treated and if this first ruling is adopted in other litigations.
For more on this, and the latest developments concerning privacy, security and innovation, stay tuned. Privacy World will be there to keep you in the loop.
Privacy World’s Kristin Bryan was quoted in an article from ABC News earlier this week. The article “Collection of Voice Data For Profit Raises Privacy Fears” discusses a rise in privacy concerns due to the uptick in voice-assisted products for both homes and workspaces. While recent voice-activated devices have led to innovation and efficiencies in many areas, there is a looming worry about how voice data collection is being used. With only four US states having enacted laws related to voice data, the concern isn’t unfounded.
Read on for Kristin’s perspective on the way voice data is regulated and more.
Our Tokyo Partner, Scott Warren, will be speaking at the Tokyo Summit 2023: Risk Management/Legal Tech/Cybersecurity in Tokyo, Japan at the Mandarin Oriental Hotel on January 24. The event, run by the CJK Group, is an all-day event covering a wide variety of legal technology and risk topics. Scott will deliver a presentation from 12-12:45 p.m. (Japan Standard Time) titled “Your Company Has Been Breached: Now What?” with Ari Davies, a Partner at Deloitte Tohmatsu (Japan). This panel will cover what you need to do to prepare for a cyber-incident, which can significantly reduce the cost of a breach, and how you need to respond to it especially when it involves cross-border data. Particular emphasis will be given to Japan and the greater APAC region as the discussion leaders are among the foremost experts experienced in some of the most significant data breaches in the region.
The event is a free in-person event only (no webinar will be held). If interested, please visit the event website.
2022 was another eventful year in the realm of privacy, security and innovation. Privacy World was there every step of the way, to keep you informed on key developments. Starting next week, we will be rolling out our popular Year in Review series. As a lead up to that, below are our ten most popular posts of 2022.