Deadline for New Data Sharing Framework; Congress Considers Automobile Cybersecurity; No VPPA Violation for Free Apps; TCPA Standing Expands

January 2016 Deadline for New Approach to Transatlantic Data Transfers

European data protection agencies (DPAs) and members of the European Commission, operating collectively as “the Article 29 Working Party,” set a January 31, 2016 deadline for U.S. and European Union authorities to create a new foundation for EU-U.S. data transfers to replace the Safe Harbor pact that was struck down because of concerns over the extent of U.S. government access to personal information.  If the January deadline passes with no agreement, the Article 29 Working Party made clear its commitment to further action, including “coordinated enforcement,” to ensure compliance with EU rules.  Meanwhile, each DPA has independent authority to examine EU-U.S. data transfers.  Until final resolution, which may include a “Safe Harbor 2.0”, the best methods for transferring data between the U.S. and EU are EU-approved contract clauses or, for those fortunate enough to already have them in place, binding corporate rules.  These mechanisms were not directly affected by last week’s Safe Harbor decision, but they remain vulnerable to the same EU concerns about U.S. government surveillance.  Companies should review their data transfer practices from a risk management perspective to determine whether implementing model contract clauses or other measures to replace their Safe Harbor certifications are an appropriate interim response to the uncertainty surrounding EU-U.S. data transfers.  For more on the Article 29 Working Party’s statement, see our recent client alert.

U.S. House Subcommittee Considers Automobile Cybersecurity Measures

This week, the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade is considering measures pertaining to vehicle data privacy and cybersecurity.  A discussion draft released days before the October 21 hearing reveals the potential for legislation that would, among other things, impose privacy and cybersecurity requirements on vehicle manufacturers, including privacy policies, disclosures of collection and use of vehicle information, and security measures to protect against unauthorized access to vehicle information.  The draft also proposes penalties of $5,000 per day, capped at $1 million per manufacturer, and creation of an “Automotive Cybersecurity Advisory Council” that will develop best practices for vehicle cybersecurity.  On Wednesday, the Federal Trade Commission expressed its concerns about the draft legislation’s approach to compliance and enforcement.  While passage of this or similar legislation is not imminent, this week’s discussions suggest that Congress will attempt to regulate in this space in the future and that it may be wise to begin considering how to craft and implement privacy and cybersecurity policies and procedures to protect user data and inform users about collection practices.

11th Circuit: No VPPA Violation for Info Collected via Free App

In Ellis v. Cartoon Network, the Eleventh Circuit ruled that a company cannot be liable under the Video Privacy Protection Act (“VPPA”) for using a free mobile application (“app”) to collect and share information.  The plaintiff alleged that Cartoon Network (“CN”) violated the VPPA by sharing information with a third party about the videos that plaintiff watched and using an identifier unique to the plaintiff’s phone.  The court ruled that the plaintiff was not a “subscriber” under the VPPA, as his use of the app to watch videos did not require any payment, registration, or other commitment establishing a relationship with CN.    The same issue is currently on appeal in the First Circuit, where the conclusion in Yershov v. Gannett mirrors that of the Eleventh Circuit.  Ellis did not reach the issue of whether the collected data was “personally identifiable information” under the VPPA, although other decisions, including Yershov, suggest that it is.  In light of these decisions, companies that collect and use personally identifiable information via mobile apps should keep in mind that potential VPPA liability can turn on whether the app requires users to establish a relationship via payment, compulsory login, or some other method, or extends an already-existing relationship from another platform.

Third Circuit: Regular Users of Telephone May Sue Under TCPA

The Third Circuit ruled that an individual who regularly uses a phone line at a place they reside has standing to sue under the Telephone Consumer Protection Act (TCPA). The court held that such a person falls within the “zone of interests” protected by the TCPA, even if they are neither the intended recipient of a phone call nor the person to whom the phone line is registered.  This ruling expands the potential basis for TCPA liability, and may invite more expansive arguments by plaintiffs based on regular access to a phone line in a particular location.