Executive summary

On September 17, 2019, the Belgian Data Protection Authority (DPA) issued a fine of EUR 10,000 for a breach of the General Data Protection Regulation’s (GDPR). The case related to a merchant who required the use of an electronic identity card as the sole means for the issuance of loyalty cards.

The DPA found that this practice did not comply with GDPR’s standards on (a) data minimization, as the electronic identity card contains much more information about the holder than is necessary for the purposes of creating a loyalty card; and (b) consent, because customers were not offered a real choice on whether they should provide access to the data on their electronic identity card in exchange for a loyalty card. As a result, the customers’ consent was not considered as freely given and therefore invalid.

The DPA also found that the merchant had not done enough to inform customer about its data processing activities, and thereby violated its information duties under the GDPR.

The facts


Continue Reading

EDRM and the Bolch Judicial Institute at Duke Law recently released Technology Assisted Review (TAR) Guidelines (Guidelines) with the aim “to objectively define and explain technology-assisted review for members of the judiciary and the legal profession.” Among the topics covered are the validation and reliability measures practitioners can use to defend their TAR processes. This post summarizes this validation and reliability guidance, which has the potential to be a widely-referenced authority on this topic going forward.

According to EDRM, there are no “bright-line rules” governing what constitutes a reasonable review or one standard measurement to validate the results of TAR. Instead, principles of reasonableness and proportionality as set forth in FRCP Rule 26 generally guide the inquiry.
Continue Reading

E-discovery does not sit still. To provide high-level service, practitioners necessarily deal with legal technology at the bleeding edge of development. This involves the embrace of nascent artificial intelligence (AI) in combination with other analytic tools and techniques to tackle increasingly challenging discovery projects. As ever-expanding volumes and sources of information strain the capacity of

WELCOME TO YOUR NEW WAR ROOM. TAKE A LOOK AT OUR LITIGATION FORECAST COVER STORY TO SEE HOW COMPANIES ARE USING TECHNOLOGY TO ADVANCE LITIGATION CASE STRATEGY

Crowell & Moring has issued its seventh-annual “Litigation Forecast 2019: What Corporate Counsel Need to Know for the Coming Year.” 

The Forecast cover story, Welcome

Last week, the U.S. Court of Appeals for the Ninth Circuit revived a class action lawsuit related to a 2012 data breach, determining that the future risk of identity theft suffices to establish Article III standing, even where there has been no actual harm. At issue in the case, In re Zappos.com, was whether

Last Thursday, the Fourth Circuit decided a closely followed case on one of the safe harbor defenses under the Digital Millennium Copyright Act (DMCA). See BMG Rights Management (US) LLC v. Cox Communications, Inc., No. 16-1972 (4th Cir. Feb. 1, 2018). The court also addressed the intent standard for contributory copyright infringement.

BMG, an owner of copyrights in digital music files, sued Cox, an internet service provider, for contributory copyright infringement by Cox subscribers engaging in “peer-to-peer” music file sharing. The district court held that Cox was not entitled to the safe harbor defense under Section 512(a) of the DMCA because Cox did not satisfy the conditions under Section 512(i)(1)(A) that it “adopted and reasonably implemented … a policy that provides for the termination in appropriate circumstances of subscribers … who are repeat infringers.” At trial, a jury found Cox liable and awarded BMG $25 million.


Continue Reading

The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of

It’s been said that “A lie gets halfway around the world before the truth can even pull its boots on.” In today’s world of online commentary and social media, this is truer than ever.

In the cyber-world, you or your company may be accused of selling defective goods, providing poor service, misleading customers, defrauding the

Last week, the Federal Trade Commission (“FTC”) announced an agreement settling claims against a television manufacturer arising from the alleged unauthorized collection of television viewing data.  The FTC, along with the State of New Jersey, alleged that certain “smart TVs” manufactured and sold by VIZIO, Inc. and its subsidiary VIZIO Inscape Services (collectively, “VIZIO”) failed