By Emily A. Bruemmer

On March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

By Reena R. Bajowala

The fallout from the late 2013 data security breach involving the Target Corporation is not over yet.  After Target announced that financial information of more than 40 million consumers could be at risk, a flurry of lawsuits were filed by consumers and financial institutions.  The consumer suits settled.  The financial institution suits live on (for now) in In re Target Corp. Customer Data Security Breach Litigation, No. 14-2522 (D. Minn. Sept. 15, 2015), where a class of financial institutions who issued credit cards to Target consumers alleged that they were injured by Target’s failure to prevent hackers from accessing customer data in the form of replacing cards and reimbursing fraud losses. 

Plaintiffs sought Rule 23(b)(3) class certification.  Target opposed, arguing that the injuries are “risk of future harm” that financial information might in the future be used, so cannot be established with classwide proof.  The court noted that the banks already reissued cards and that some have already incurred losses from payments.  Target countered that there was no requirement that the plaintiffs reissue cards, so the voluntary act cannot be used by the plaintiffs to establish their own injuries.  The court rejected the argument, holding that “[w]hether a specific action was legally mandated is not required to establish injury or causation.”  The court commented that the “absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards . . . in the weeks after the breach.” 

By Mary Ellen Callahan

On October 6, 2015, the Court of Justice of the European Union (CJEU) decided to agree in large part with the Advocate General’s recommendation in the matter Schrems v. Facebook (Ireland), and invalidated the U.S./EU Safe Harbor mechanism for transferring data.  Safe Harbor was first established in 2000 as an additional mechanism to transfer personal data from the EU to the U.S., provided that companies publicly agreed to Safe Harbor privacy principles (“Commission decision 2000/520).  The enforcement for Safe Harbor non-compliance was set with the Federal Trade Commission; the FTC could also accept complaints from EU Data Protection Authorities (DPA). 

In Schrems, the Irish DPA determined that he did not have the authority to review whether the Commission’s Safe Harbor decision was valid.  The Irish High Court concurred, and therefore the CJEU took the case.

The CJEU takes the findings of the (non-binding) Advocate General recommendation in whole, including that the U.S. legal system has “systemic failures” in data protection because of national security programs revealed in June 2013 after a series of unauthorized disclosures of PRISM and other national security programs.  However, the Advocate General’s opinion does not accurately describe PRISM and other national security programs as they operated in 2013, and despite indicating that his decision must take into account the regime as currently in operation, the Advocate General’s sweeping generalities are not accurate.  (see, e.g., analysis of Advocate General recommendations by Peter Swire, member of the independent Review Group on Intelligence and Communications Technology, created by President Obama in 2013). 

By Mary Ellen Callahan and Heidi Wachs

This year has seen a spate of updates to state data breach notification laws. The most recent state to join the trend is Connecticut, whose new legislation was signed into law by Governor Daniel Malloy on July 1, 2015 and went into effect on October 1, 2015. The updated law adds biometric data to the definition of personal information and sets a 90-day deadline for companies to report data breaches to affected residents as well as the state Attorney General. The amendments also require companies to provide victims with one year of identity theft protection, making Connecticut the first state in the country to require identity theft protection. California enacted a similar law this January, requiring a full year of protection if a business elects to offer credit monitoring.

Montana, Nevada, North Dakota, Washington, and Wyoming also all approved updates to their laws earlier this year. Common updates across these new pieces of legislation include expanded definitions of personal information, incorporating additional data elements beyond the historically included first name or first initial and last name in combination with social security number, drivers license number, or “account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account,” and required notification to the state attorney general.