Privacy law meets antitrust – EU Commissioner Vestager on data in competition law; ECJ to rule on admissibility of Privacy class actions; Northern District of California Sends Yelp Privacy Suit to the Jury; EU Advocate General finds EU-Canadian PNR pact unlawful; New York Unveils New Cyber Security Rules for Financial Services Organizations; New Jersey Senate Passes Shopping Privacy Bill; NIST Issues Mobile Threat Guidance

Privacy law meets antitrust – EU Commissioner Vestager on when privacy issues can lead to antitrust concerns

European Competition Commissioner Margarethe Vestager has commented on the relevance of privacy issues with regard to EU antitrust rules. According to Vestager, current investigations of the German Federal Cartel Office regarding Facebook’s “privacy issues” would “not necessarily” lead to competition law concerns, even though both fields of law might correlate under certain circumstances.

In the investigations at issue, the German Federal Cartel Office is alleging Facebook of abusing an alleged ‘dominant position’ in the market for social networks by imposing unfair conditions regarding the privacy settings for Facebook accounts on its users. The German antitrust regulator is arguing that users would have “no choice” whether to accept the conditions or to terminate their account, because there is no real alternative to the well-known social network. Under Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’), “dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market.”

It still remains to be seen whether Facebook will ultimately be found in breach of EU antitrust rules relating to its Privacy Policy. On a more general matter, however, the Commissioner’s statements seem to confirm that indeed, companies controlling vast amounts of data may be considered able to prevent market entry by withholding this data from potential competitors who could not reproduce comparable datasets themselves and therefore might violate Article 102 TFEU. Companies that might fall in this category should therefore be prepared that not only privacy regulators, but also antitrust authorities might potentially be questioning them regarding their use of data in the future. Nevertheless, “simply holding a lot of data” would not be enough to raise antitrust suspicions, Vestager appeased.

Schrems vs. Facebook 2.0 – European Court of Justice to Rule on Admissibility of Privacy Class Action

On September 12, 2016, the Austrian Supreme Court has announced that it refers to the European Court of Justice (‘ECJ’) the question on admissibility of class-action-style privacy damage claims before one court in the EU. For a second time, the case is based on a claim by privacy activist Max Schrems, who had already made the ECJ invalidate the U.S.-EU Safe Harbor Framework in October 2015. This time, however, Schrems is not only fighting his own case – he is joined by a group of individuals across the EU.

To date, the EU does not recognize class action models comparable to litigation in the US. Should the ECJ therefore again decide in favor of Schrems, the decision would be a groundbreaking development, potentially opening doors to damage claims of individuals based on alleged violations of their right to privacy before one and the same court.

For companies, a judgment in favor of Schrems would therefore have a significant impact on their risk assessment. Currently, the biggest risks companies have to face with a view to privacy violations are administrative investigations, possible fines, which can however not exceed a certain threshold, possible criminal sanctions and bad media attention. Should the ECJ allow for EU-wide class actions before one single court, this may not only lead to increased claims by activists and consumer organizations, but also to increased enforcement activity of the data protection authorities.

Northern District of California Sends Yelp Privacy Suit to the Jury

Judge Tigar of the Northern District of California will allow plaintiffs to continue to trial on a breach of privacy action dating back to 2012. Plaintiffs allege that Yelp designed its app to allow uploads of users’ personal information, including their address books, in violation of Yelp’s privacy policy.  The offending version of the app included a “find friends” feature which uploaded a user’s address book to Yelp’s server, although it did not store it.  Yelp warned users that it would “need to look at your contacts to find friends.” Plaintiffs claim that by this language, they only gave Yelp permission to “look at” or “use” their address books.  Yelp disagrees.  It argues that plaintiffs agreed to allow the upload.

Judge Tigar held that this was a factual dispute and denied Yelp’s motion for summary judgment. He also found that whether this action was “highly offensive,” and thus a violation of the California Right to Privacy, was also a question for the jury.  This case highlights the importance of composing and maintaining explicit and accurate privacy policies.  Indeed, companies should be overly explicit about how certain functions work to avoid ambiguities in how consumers interpret privacy notices and consent.

European Court of Justice’s Advocate General: EU-Canada Airline Data Pact Unlawful

In an opinion of September 8, 2016, Advocate General Paolo Mengozzi of the European Court of Justice (‘ECJ’) has stated that the draft passenger name agreement (‘PNR’) between the European Union and Canada for the transfer and retention of airline passenger data cannot be entered to in its current form due to privacy concerns.

The agreement, which was signed in 2014, was referred to the ECJ by the European Parliament in the course of the approval process. The Parliament was uncertain whether the interference of the provisions contained in the draft with the fundamental right to privacy would be justified. In his opinion, Advocate General Mengozzi now indeed argues that certain provisions in the agreement, in particular such relating to the processing of PNR data for public security objectives such as the prevention of terrorism, but also other provisions i.a. relating to retention periods violate the European Charter of Fundamental Rights.

Although the Advocate General’s opinion is non-binding on the ECJ, these opinions are generally highly influentially and often followed by the Court. Should the ECJ follow the opinion of Mengozzi, the PNR agreement may not enter into force unless it is amended.

New York Unveils New Cyber Security Rules for Financial Services Organizations

On Tuesday, the New York Department of Financial Services proposed new rules that would require banks, insurers, money service businesses and regulated virtual currency operators to implement a variety of cybersecurity measures. Among other measures, regulated entities must create and layout detailed data breach plans, increase their monitoring of how third-party vendors handle and secure customer data, and appoint a chief information security officer.  These rules are not far off from the best practices that many states and the federal government recommend.  However, New York would be among the first U.S. jurisdictions to make these practices mandatory.  Experts agree the other states and federal regulators will likely follow New York’s lead and implement similar mandatory measures.

New Jersey Senate Passes Shopping Privacy Bill

On Thursday, the New Jersey Senate unanimously passed the Personal Information and Privacy Protection Act, which would place restrictions on the way retail establishments collect and use personal data that is electronically embedded in customers’ identification cards. Retailers are able to access this data by scanning the card’s bar code.  If the bill passes, retailers that engage in this practice would have to store their information securely and report any security breach to the victim of the breach and the state police.  As with the more comprehensive New York bill, discussed above, New Jersey’s measures in this area might pave the way for other states to follow suit.

NIST Issues Mobile Threat Guidance

NIST issued mobile threat guidance last Thursday designed to help protect the connection between mobile devices and computer systems. This move could further influence the private sector to adopt voluntary NIST standards.  Historically, NIST has only applied to federal agencies and, of late, NIST standards have increasingly been incorporated into US government contracts.  However, these latest standards could signal a wider adoption of NIST standards in the private sector, perhaps creating a privacy “standard of care.”