On February 17, 2023, the Illinois Supreme Court ruled 4-3 that violations of the Biometric Information Privacy Act (“BIPA”) (the country’s first biometric privacy legislation) accrue for each incident of capture or dissemination of biometric information, and not only once for each data subject. Cothron v. White Castle Systems found based on the plain language of the statute that violations for collecting or disclosing biometric information occur at every scan or transaction. Cothron v. White Castle Sys., 2023 IL 128004. The court reached this conclusion while admitting the “absurd” implications, including that the ruling could result in damages of $17 billion. Id. at ¶ 40.

Cothron follows the recent decision in Tims v. Black Horse Carriers, Inc., which applying a uniform 5-year statute of limitations for all claims under BIPA. Tims et al. v. Black Horse Carriers Inc., case number 127801. Taken together, Cothron and Tims create a minefield of liability for organizations collecting biometric information and may significantly increase the number of plaintiffs, claims, and possible damages under BIPA.

Background

Latrina Cothron filed a proposed class action against White Castle System, Inc. (“White Castle”), her former employer, which required employee fingerprint scans to access computer systems and pay stubs. The scans were sent to a third-party vendor to verify and authorize access.  The White Castle policy, instituted in 2004, preceded the 2008 enactment of BIPA, but White Caste did not seek consent after BIPA’s enactment until 2018.  Cothron alleged that White Castle violated BIPA sections 15(b) and 15(d) by collecting and distributing her fingerprint identifier without prior consent. 

White Castle moved for judgment on the pleadings, arguing that Cothron’s action was time barred because it accrued in 2008, when it first obtained her biometric data after BIPA took effect. Cothron responded that a new claim accrued each time White Castle sent her biometric data to its third-party authenticator, and argued her action was timely as to the unlawful scans and transmissions that occurred within the statutory period.

To resolve the issue, the Court considered whether section 15(b) and 15(d) claims accrue each time an entity “scans a person’s biometric identifier and each time an entity discloses a scan to a third party, or only once, upon the first scan and transmission.” Cothron at ¶ 1. The relevant BIPA section, 15(b), states that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first” obtains consent from the data subject. 740 ILCS 14/15. Section 15(d) states that a private entity in possession of a biometric identifier may not “disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” there is consent or the disclosure is required by law. Id.

When 15(b) and 15 (d) claims accrue has important implications for both the limitations period and calculating damages because statutory damages under BIPA accrue per violation.  A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation. 740 ILCS 14/20.

Illinois Supreme Court Decision

The Illinois Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.” Cothron at ¶ 30.

For BIPA section 15(b), the court examined the plain text meaning of “collect” and “capture.” Id. at ¶ 23. The court found that information can be captured or collected more than once, explaining that each time the employee used their fingerprint to access pay stubs or computer systems, the system collected the fingerprint anew. Id. Therefore, each new capture constitutes a separate claim under BIPA.

For BIPA section 15(d), the court analyzed the plain meaning of “disclose” and “redisclose.” Id. at ¶ 27. It held that “redisclose” included repeated transmission to the same third-party. Id.  The court further pointed to the statutory catch-all language in BIPA providing that a violation occurs when entities “otherwise disseminate” the biometric information.  Thus, each disclosure represents a new violation. Id.

The majority in Cothron recognized the decision’s impact, stating “this court has repeatedly recognized the potential for significant damages awards under the Act.” Id. at ¶ 41. The court defended the decision as consistent with legislative intent, explaining that a “substantial potential liability” would give private entities “the strongest possible incentive to conform” to the statute. Id.  The court acknowledged that “if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” Id. at ¶ 40.

Key Takeaways

Far reaching consequences

Biometric information comes in many forms, and any time it is collected from Illinois residents, it must be handled consistently with the broad proscriptions of BIPA.  Critically, fingerprinting is not the only biometric information that falls under BIPA—its reach is broad.  BIPA claims have involved facial recognition features used to “tag” users in photos, collecting customers’ voices in drive-throughs, remote proctoring tools for online schooling, customer hotlines, vending machines, donation centers, and even virtual glasses try-on software. In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), Carpenter v. McDonald’s Corp.  580 F. Supp. 3d 512 (N.D. Ill. 2022), Doe v. Nw. Univ., No. 21 C 1579 (N.D. Ill. 2022), Dorian v. Amazon Web Servs., Inc., No. 2:22-CV-00269 (W.D. Wash. 2022).  

Potential increase in damages and settlement amounts

Liability will now depend on the number of subjects from which organization collects data, as well as how that collection occurs.  An amusement park scanning fingerprints on entry may only accrue a handful of claims per data subject, whereas an employer scanning fingerprints for each employee several times per shift, as in Cothorn, may accrue hundreds of claims per subject. See Rosenbach v. Six Flags Entm’t Corp.,129 N.E.3d 1197 (2019). Companies that passively collect biometric information could see an astronomical number of claims. 

This increased liability risk under BIPA reinforces that companies must understand how they collect, store, use, and ultimately delete biometric information, to ensure that each step complies with BIPA.

Reduce Liability through Transparency – CONSENT IS KEY!

Organizations may be able to significantly mitigate risk through thoughtful and transparent implementation of biometric data collection.  Most recent biometric litigation has centered on notice and consent.  Organizations wishing to reduce liability and increase transparency can (1) obtain consent from employees before collecting biometric information and (2) maintain and publish a robust privacy policy outlining the use and retention of employee biometric information.  Businesses may significantly reduce their risk of BIPA exposure by establishing a culture of transparency throughout the organization.

* * *

Crowell & Moring LLP has a robust and highly experienced team advising organizations of all sizes on compliance with biometric privacy laws. Crowell also has an extensive library of resources associated with the Illinois Biometric Privacy Act, including:

BIPA Claims Uniformly Have a 5-Year Statute of Limitations

A Statute of Limitations for BIPA Claims? We May be One Step Closer

Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Earlier this month, two courts, one in California and one in Massachusetts under two different scenarios, opined on the enforceability of browsewrap and hybridwrap agreements, providing important warnings for companies relying on such agreements to obtain legally required consent for activities such as telemarketing or to otherwise impose terms and conditions on website users. Many cases turn on the enforceability of such agreements, and companies should evaluate their use of browsewrap agreements (e.g., terms of use available through a hyperlink at the bottom of a webpage) and hybridwrap agreements to determine whether changes are appropriate to improve enforceability and mitigate legal risk.

Background

Numerous companies rely on agreements, such as terms of use, that they form online with website users to meet legal requirements (e.g., to obtain consent), define rules for use of the website, and otherwise help limit the company’s liability. Courts generally categorize such agreements into two major groups. Clickwrap agreements require users to take an affirmative step (e.g., checking a box that says “I Agree”) to agree to the proposed terms. In contrast to browsewrap agreements, courts regularly uphold clickwrap agreements. Browsewrap agreements typically refer to those that are available as a hyperlink at the bottom of a webpage and require no affirmative action from the user indicating their assent. Instead, browsewrap agreements attempt to bind users solely because they appear on the visited webpage. Courts often find these agreements unenforceable unless the website owner can show the user had actual or constructive notice of the terms and conditions.

According to the Ninth Circuit in Berman, absent actual notice, a website owner can show constructive notice by demonstrating that (1) the website provides “reasonably conspicuous notice” of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms.[1]

The Berman court created a two-part test for determining whether terms of use presented on a website constitute “reasonably conspicuous notice.” First, the notice must be displayed in a font size and format such that the court can fairly assume that a reasonably prudent Internet user would have seen it. For example, in Berman, the challenged language did not meet this standard as it was in “tiny gray font” and surrounded by significantly larger text and other visual elements. Second, if the terms are presented via hyperlink rather than on the webpage itself, the fact that a hyperlink is present must be readily apparent. Simply underlining words or phrase will generally be insufficient to alert a reasonably prudent user to the presence of a clickable hyperlink. Use of a contrasting font color or all capital letters is more likely to draw attention to the hyperlink.

Some courts have also defined a third category of agreements, hybridwrap, falling between browsewrap and clickwrap agreements. Hybridwrap agreements incorporate elements of both browsewrap and clickwrap agreements, providing greater notice of the terms and the website owner’s intent to bind the user to such terms while stopping short of requiring affirmative assent.

Heather Gaker v. Citizens Disability, LLC—Massachusetts

In Gaker,[2] Heather Gaker alleged that Citizens Disability (“Citizens”) violated the Telephone Consumer Protection Act (“TCPA”) by placing telemarketing calls to her cell phone without her prior consent despite registering her number on the Do Not Call Registry. Citizens, a Massachusetts for-profit corporation that assists persons with disabilities in claiming Social Security benefits, argued that Ms. Gaker provided consent to receive telemarketing calls when she provided her personal information through a sweepstakes website (“Sweepstakes Website”) that offered a chance to win $50,000. At the bottom of the Sweepstakes Website was a box to “CONFIRM YOUR ENTRY” in addition to the following terms (“Terms”):

By clicking confirm your entry I consent to be contacted by any of our Marketing Partners, which may include artificial or pre-recorded calls and or text messages, delivered via automated technology to the phone number(s) that I have provided above including wireless number(s) that I have provided including wireless number(s) if applicable regarding financial, home, travel, health, and insurance products and services. Reply ‘STOP’ to unsubscribe from SMS service. Reply ‘Help’ for help. Standard Message & data rates may apply. I understand these calls may be generated using an autodialer and may contain pre-recorded messages and that consenting is not required to participate in the offers promoted. I declare that I am a U.S. resident over the age of 18 and agree to this site’s terms.

The words “Marketing Partners” contained a hyperlink to a page containing a list of companies, which included Citizens. A marketing vendor provided Citizens the information submitted through the Sweepstakes Website, after which Citizens placed seven calls to Ms. Gaker’s phone regarding the company’s disability services.

The TCPA prohibits telephone solicitations to a number registered on the national Do Not Registry unless the solicitor has obtained “prior express invitation or permission,” which must be evidenced by a “signed, written agreement between the consumer and seller which states that the consumer agrees to be contacted by this seller and includes the telephone number to which the calls may be placed.”[3] Further, the TCPA defines “prior express written consent” as

an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice, and the telephone number to which the signatory authorizes such advertisements or telemarketing messages to be delivered.[4]

The agreement must contain a clear and conspicuous disclosure informing the person signing it that the person is authorizing the telemarketing calls and that signing the agreement is required as a condition of purchasing any property, goods, or services.[5] According to guidance from the Federal Communications Commission, when a question arises about whether a consumer has given consent, the telemarketer bears the burden to demonstrate that “a clear and conspicuous disclosure was provided and unambiguous consent was obtained.”[6]

Thus, the central question before the U.S. District Court for the District of Massachusetts was whether the Sweepstakes Website adequately disclosed the Terms such that Ms. Gaker gave “unambiguous consent” to be bound by the Terms. Relying on precedent on online terms and conditions, the court sided with Ms. Gaker and ordered Citizens to pay $500 per violation for a total of $3,500. The court concluded that Citizens had not met its burden to establish that “a clear and conspicuous disclosure was provided and unambiguous consent was obtained.” Salient factors in the court’s decision included the following:

  • The Terms were presented in a font smaller than other language on the page.
  • The Terms were also displayed in blue font against a blue background, with only slight variation in color between the two. No other language on the Sweepstakes Website was presented as inconspicuously, and all promotional language was presented in clearly contrasting colors.
  • The Terms appeared below the “CONFIRM YOUR ENTRY” box such that a user could click the button without ever reaching the Terms at the bottom of the page.
  • The Sweepstakes Website included images of gold coins and dollar signs in addition to other headlines and advertisements in large and legibly colored font, distracting visitors from the Terms at the bottom of the page.

Citizens argued that appearance of the language “By clicking confirm your entry I consent to be contacted by any of our Marketing Partners” on the Sweepstakes Website, without requiring the visitor to click a hyperlink, should have sufficed to constitute clear and conspicuous disclosure. The court determined that this was insufficient due to the “totality of the page,” given the factors above, indicating an intent to distract a reasonable user from the terms. For these reasons, the court also determined that the Terms did not meet the Ninth Circuit’s Berman test.

In addition, Ms. Gaker was not required to indicate that she had read the Terms before submitting her information (e.g., by checking a box). Therefore, the Terms did not meet the court’s definition of a clickwrap agreement, which would carry some presumption of validity. Instead, the court characterized the Terms as a browsewrap or hybridwrap agreement, which does not carry a presumption of validity.

Arisha Byars v. The Goodyear Tire and Rubber Co., et al.— California

At the heart of Byars[7] were allegations that The Goodyear Tire and Rubber Co. (“Goodyear”) engaged in wiretapping activities in violation of the California Invasion of Privacy Act. Of relevance to this client alert, however, is the decision’s discussion of browsewrap agreements in evaluating whether Ms. Byars consented to Goodyear’s forum selection clause.

Goodyear’s Terms of Use contain a forum selection clause stating that visitors to Goodyear’s website consent to litigating claims arising from use of the website in Ohio. Goodyear argued that Ms. Byars was on notice of its Terms of Use because Goodyear’s website displays a pop-up banner to all visitors that contains three hyperlinks: one to Goodyear’s Privacy Policy, one to view “Cookie Settings,” and one to “Accept [the] Cookies.” Goodyear also argued that there is a hyperlink to its Terms of Use at the bottom of every webpage. Ms. Byars argued that she was on neither actual nor constructive notice of the Terms of Use and therefore did not consent to the forum selection clause.

After examining Ninth Circuit precedent on clickwrap and browsewrap agreements, the court sided with Ms. Byars. According to the court, Goodyear’s Terms of Use “plainly” fell into the browsewrap agreement category as Goodyear’s website does not ask visitors to accept the Terms of Use, such as through the inclusion of an “I Agree” box. In addition, the court found the location of a Terms of Use hyperlink at the bottom of every page (where the website user might not look) consistent with the Ninth Circuit’s description of browsewrap agreements.

Because the court categorized Goodyear’s Terms of Use as a browsewrap agreement, it was only enforceable if Ms. Byars had actual or constructive knowledge of the Terms of Use. Goodyear failed to persuade the court that Ms. Byars had any reason to scroll to the bottom of the webpage or otherwise viewed the Terms of Use, and Ms. Byars affirmatively alleged that she did not see the Terms of Use. For these reasons, the court determined that Ms. Byars did not consent to the Terms of Use and its forum selection clause.

Takeaways

Gaker and Byars underscore the reluctance of courts to enforce browsewrap and hybridwrap agreements that use illegible text and place the challenged language at the bottom of the webpage. In the case of Gaker, this includes where the agreement is used to obtain TCPA-required consent to place telemarketing calls. In the case of regimes like the TCPA, which provides for a private right of action and potentially very significant damages – $500 per call and possible treble damages – using a browsewrap agreement may be very costly. Fortunately for the defendant in Gaker, the defendant only placed seven telemarketing calls to the plaintiff so the court awarded a total of $3,500 in damages, but for many other organizations heavily reliant on telemarketing to reach potential clients, the outcome could have been very different. Enforceability of terms of use is an issue that regularly comes up, and Gaker and Byars highlight the importance of presenting terms of use in a clear and conspicuous manner.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Key Takeaways

  1. While the CDA and DMCA are separate statutes, they work together to regulate online services
  2. Section 230 reform efforts could impact how Courts and commentators treat the DMCA
  3. The efforts to repeal or substantially reduce the protection for internet service provider under Section 230 raise questions for practitioners about potential corollary effects on use of the DMCA to advocate for users and websites.

Section 230 of the Communications Decency Act (CDA, codified at 47 U.S.C. § 230) and Section 512 of the Digital Millennium Copyright Act (DMCA, codified at 17 U.S.C. § 512) are separate legal structures that work together to uphold certain protections for online service providers against claims arising out user-generated content.

Enacted into law in 1996, Section 230 serves as a foundation of internet law, allowing major social media networks, blogs, digital marketplaces, and other websites to flourish.  Section 230 provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  47 U.S.C. § 230(c)(1).  The law was written at a time when the internet was still in its infancy, and allowed the internet to grow, as one commentator has stated, from “baby to … behemoth.”

In 2011, Section 512 was adopted to provide an affirmative defense to copyright infringement claims arising out of certain content displayed online at the direction of a user.  Section 512 only applies if the conditions for safe harbor have been met.  Specifically, Section 512 explains that “[a] service provider shall not be liable for monetary relief, […] injunctive or other equitable relief, for infringement of copyright […] if the service provider […] upon notification of claimed infringement, […] responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.” 127 U.S.C. § 512(c).  While the DMCA focuses on copyright infringements, its safe harbor provision mirrors protections offered by Section 230.

These are important statutes impacting companies and users of online services right now.  In the context of copyright law and the DMCA, a jury in the Eastern District of Virginia found that an internet service provider did not sufficiently implement DMCA requirements and awarded Plaintiffs a $1 billion verdict, which may encourage Plaintiffs to make such arguments with more frequency.  See Sony Music Entm’t v. Cox Comm’s, Inc., No. 1:18-cv-00950 (E.D. Va. Jan. 12, 2021).  In addition, on December 30, 2022, BackGrid USA filed a copyright complaint against Twitter in U.S. District Court for the Central District of California.  BackGrid USA identifies itself as a “premier celebrity-related photograph agency,” which “provides highly sought-after images of celebrities around the world to top news and lifestyle outlets.” Complaint at 6, BackGrid v. Twitter, No. 2:22-cv-09462-KS (C.D. Cal. Dec. 30, 2022).

In its complaint, BackGrid USA makes two copyright claims:

  1. Twitter Does Not Terminate Repeat Infringers as Required for Safe Harbor Protection Under 17 U.S.C. § 512(i); and
  2. Twitter Does Not Expeditiously Remove Infringements as Required for Safe Harbor Protection Under 17 U.S.C. § 512(b)-(d).  

According to BackGrid USA, “[d]espite sending more than 6,700 DMCA takedown notices [to Twitter], not a single work was taken down and not a single repeat infringer was suspended.”  BackGrid USA’s claims that Twitter’s inability to “expeditiously … remove, or disable access to, the material that is claimed to be infringing or to be the subject of the infringing activity” means they can no longer rely on Section 512 safe harbors.  See 17 U.S.C. § 512(e).

As technology practitioners that take on cases where Section 230 and the DMCA are at issue, there are two notable takeaways related to these statutes:

First, while the CDA and DMCA are separate statutes, they work together to regulate online services.

The exemption in 47 U.S.C. § 230(e)(2) explicitly states that Section 230 has “no effect on intellectual property law.”  According to the statute, “nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.”

This has been affirmed across the United States.  Federal appellate courts recognize that “federal district courts have held that § 230(e)(2) unambiguously precludes applying the CDA to immunize interactive service providers from trademark claims.”  Almeida v. Amazon.com, Inc., 456 F.3d 1316, 1322 (11th Cir. 2006).  And in Perfect 10, Inc. v. CCBill LLC, the Ninth Circuit explained that “the immunity created by § 230(c)(1) is limited by § 230(e)(2), which requires the court to ‘construe Section 230(c)(1) in a manner that would neither ‘limit or expand any law pertaining to intellectual property.’”  Gucci Am., Inc. v. Hall & Assocs., 135 F. Supp. 2d 409, 413 (S.D.N.Y. 2001) (quoting § 230(e)(2)).  As a result, the CDA does not clothe service providers in immunity from ‘law[s] pertaining to intellectual property.’  See Almeida, 456 F.3d at 1322.” 488 F. 3d 1102, 1118 (9th Cir. 2007).

In the Gucci case, the U.S. District Court explained that “Section 230 does not automatically immunize [Internet service providers (ISPs)] from all intellectual property infringement claims.  To find otherwise would render the immunities created by the DMCA from copyright infringement actions superfluous.”  135 F. Supp. 2d at 417.  The Court explained that, “[s]imilarly, in UMG Recordings, Inc. v. Escape Media Group Inc., the New York Supreme Court denied Defendant’s argument that ‘plaintiff’s claims are barred by the “safe harbor” provision set forth in Section 512 of the [DMCA] … and that plaintiff’s claims are preempted by Section 230 of the [CDA]…’” 948 N.Y.S.2d 881, 884 (2012).

Second, Section 230 reform efforts could impact how Courts and commentators treat the DMCA. 

The last few years have ushered in efforts to amend Section 230.  For example, Senator Mark Warner (D-VA) introduced S. 299, the SAFE TECH Act, which “limits federal liability protection that applies to a user or provider of an interactive computer service (e.g., a social media company) for claims related to content provided by third parties.”  Representative Paul Gosar (R-AZ) introduced H.R. 7808, the Stop the Censorship Act, which “eliminates immunity for restricting content that is otherwise objectionable and applies such immunity when a company restricts content that is unlawful or that promotes violence or terrorism” and confers immunity to “actions taken that provide users with the option to restrict access to any material, regardless of whether such material is constitutionally protected.”  Most recently, Senator Lindsey Graham (R-SC) introduced S. 2972, a Bill to Repeal Section 230, which would eliminate Section 230 in its entirety.

In addition, President Biden announced core principles for Enhancing Competition and Tech Platform Accountability, which included removing “special legal protections for large tech platforms” and called for “fundamental reforms to Section 230.”

The efforts to repeal or substantially reduce the protection for internet service provider under Section 230 raise questions for practitioners about potential corollary effects on use of the DMCA to advocate for users and websites.

Could reforms to Section 230 change the way courts and practitioners use the DMCA or put Section 512’s safe harbor protections at risk?  Repealing Section 230 would mean that online service providers—such as social media companies, search engines, review boards, blogs, and other sites that share user-generated content—could more readily be held liable for the content they host.  In turn, the scope of liability could force them to consider limiting or excluding certain material that may be construed as illegal. While the DMCA provides a “safe harbor” to providers who remove content after being notified that it may infringe on federal copyright law, it also provides a process for users to challenge the notice and allows the web platform to restore the content.

Would repealing Section 230 increase the reliance on copyright claims and potentially overwhelm courts with a flood of litigation on challenged content?  The DMCA’s protections would only insulate ISPs from liability if they met the notice and takedown provisions of the Act and impact another’s copyrights.  A repeal of Section 230 or a substantial carve-out would reduce in whole or in part one of the twin protections currently provided to online service providers.  Without Section 230, many internet services used by billions on a daily basis may become more costly.  It would increase liability exposure, which would in turn lead to rising provider costs.  It has been argued by Section 230 proponents that the loss of the protections could lead to a reduction in the current ability for users to post comments, engage with social media, or rate products found online.  Some services may opt to shut down.

The CDA and DMCA have been critical to the internet’s expansion to date.  How Courts construe and legislators act with respect to these laws could have lasting impacts on how the internet develops over the next decade.

For more information on Section 230 please watch Crowell & Moring LLP’s webinar, which is available online here.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Key Takeaways

  1. A Potential Increase in Claims, Costs, and Damages
  2. Reduce Liability Through Transparency

On February 2, 2023, the Illinois Supreme Court ruled that all Biometric Information Privacy Act (“BIPA”) claims are uniformly subject to a five-year statute of limitations, expanding liability for businesses collecting biometric information.[1] In Tims v. Black Horse Carriers, Inc., the court found that a longer, uniform statute of limitations for all claims under BIPA best fulfilled the legislative intent to hold private entities accountable and provide redress for data subjects.[2] The Tims decision partially reversed an appellate court’s interlocutory decision that applied a one-year statute of limitations to some sections of BIPA, while applying a five-year statute of limitations to others.[3] This highly anticipated decision will allow companies to understand and manage their liability risk and will also likely fuel the growth of future BIPA lawsuits. 

Background

The matter arises from a class action lawsuit filed by Jorome Tims against his former employer, Black Horse Carriers, Inc. (“Black Horse”), alleging that when Black Horse scanned his fingerprints, the company violated BIPA sections 15(a), 15(b), and 15(d).

The Illinois Biometric Information Privacy Act is the country’s first comprehensive biometric privacy legislation. BIPA contains five obligations for private entities collecting biometric information: 

  • 15(a) requires entities to develop and make public an information retention policy; 
  • 15(b) prohibits a private entity from collecting biometric information without first obtaining informed consent from the data subject;
  • 15(c) prohibits a private entity from profiting from the sale of biometric information; 
  • 15(d) prohibits disclosure of biometric information without the consent of the subject; and
  • 15(e) requires entities to protect biometric information from disclosure.[4] 

Statutory damages can be steep and add up quickly, accruing per violation.[5] A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation.[6] Plaintiffs are also entitled to pursue attorney fees, and actual damages in the event the actual damages are higher than the statutory amount.[7] The courts are currently evaluating what is considered a violation under BIPA, in particular, whether BIPA liability accrues per data subject or per incidence – in other words, per scanned employee or per fingerprint. At up to $5000 per violation, a per incident accrual would significantly increase possible damages for entities collecting biometric data and make even small businesses liable for huge sums. 

Illinois Supreme Court Decision

The Illinois Supreme Court relied on legislative intent to determine the statute of limitations for BIPA claims in Tims.[8] The court declined to apply two different limitations as to “reduce uncertainty and create finality and predictability.”[9] The court contemplated the practical impact of multiple time constraints, noting that “[t]wo limitations periods could confuse future litigants about when claims are time-barred, particularly when the same facts could support causes of action under more than one subsection of [BIPA].” Considering “the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in [BIPA],” the court found that the five-year catchall limitation period would best apply.[10] The court believed policy considerations were best served by a longer limitation period because of “the fears of and risks to the public surrounding the disclosure of … biometric information.” The longer limitation period would enhance the ability for an aggrieved party to seek redress and lengthen the time a company could be held liable of noncompliance.[11] 

Key Takeaways

A Potential Increase in Claims, Costs, and Damages

The expansion of liability resulting from the extended five-year statute of limitations will open the door to an increased number of BIPA actions, expanding both the number of possible plaintiffs and the number of possible claims. All BIPA cases that had been stayed awaiting the Tims decision will now be allowed to proceed under the expanded statute of limitations. Additional cases may be brought that had previously been outside the one-year limitation. Further, cases that would have once excluded claims under 15(c) and 15(d) due to the one-year limitation may now be expanded to include such claims. Litigation under the expanded statute of limitations may be costlier given the likely increase in claims. Additionally, because damages accrue per violation under each claim, defendants may see damages increase significantly. 

Reduce Liability Through Transparency

Organizations contemplating the use of biometric technologies for personnel management should be thoughtful about transparency in their implementation, for example by (i) providing employees with the opportunity to consent to biometric data capture, and (ii) publishing a robust privacy policy that outlines the use and retention of their biometric information. A majority of the biometric litigation filed over the past two years have largely been based on the issue of notice and organizations can significantly mitigate their risk by establishing a culture of transparency in their business.

* * *

Crowell & Moring LLP has a robust and highly experienced team advising organizations of all sizes on compliance with biometric privacy laws. Crowell also has an extensive library of resources associated with the Illinois Biometric Privacy Act, including:

A Statute of Limitations for BIPA Claims? We May be One Step Closer

Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

[1] Tims et al. v. Black Horse Carriers Inc., case number 127801, at 10.

[2] Id.

[3] Tims v. Black Horse Carriers, Inc., 184 N.E.3d 466 (2021).

[4] 740 ILCS 14/15.

[5] 740 ILCS 14/20.

[6] Id.

[7] Id.

[8] Tims et al. v. Black Horse Carriers Inc., case number 127801.

[9] Id at 5.

[10] Id at 11.

[11] Id at 13.

This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.

Federal regulators are taking notice. On December 7, the Federal Energy Regulatory Commission (FERC) and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) held a joint technical conference to discuss supply chain risk management in light of increasing threats to the Bulk Power System. Multiple government participants identified the possible need to normalize the use of software bill of materials and hardware bill of materials in the electric industry. Several days later, FERC directed the North American Electric Reliability Corporation (NERC) to re-examine its Physical Security Reliability Standard, CIP-014-1. Congress, for its part, responded to growing cybersecurity threats to energy infrastructure by increasing CESER’s budget by almost 7.5% in the recent omnibus appropriations bill and appropriating $20 million for the Cyber Testing for Resilient Industrial Control Systems program.

Cybersecurity attacks on distributed energy resources (DERs) including electric vehicles are also proliferating. In its recent report, Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid, CESER identified the cybersecurity threat to DER operators, vendors, developers, owners and aggregators as posing a significant and growing risk. The Department of Energy will also soon release a report, mandated by Congress in the Infrastructure Investment and Jobs Act, identifying policies and procedures for enhancing the physical and cybersecurity of distributed resources and the electric distribution system.

The recent physical and cybersecurity incidents targeting critical infrastructure have exposed significant vulnerabilities of some companies, and both customers and the federal government are pushing the private sector to mitigate those threats as a condition for doing business.  The federal government, in particular, expects their private sector partners to adopt better security hygiene, assess supply chain risks, and prepare for quick responses to incidents, including rapid notifications to customers, regulators and the public.  Here are some best practices for energy sector companies to have on their radar for 2023:

  • Compliance with NERC’s Critical Infrastructure Protection (CIP) Standards. Violations of applicable NERC CIP reliability standards subject users, owners and operators of bulk power system facilities to civil penalties of up to $1,496,035 per violation, per day.
  • Comprehensive Assessments of Key IT and OT Systems. Conducting comprehensive assessments of current and potential system vulnerabilities is a leading cybersecurity industry practice that energy sector companies may consider adopting. They can do so by, for example, engaging in regular inventory of Information Technology and Operational Technology systems, including by assessing patch management processes, performing information security and physical risk assessments, and documenting and regularly reviewing system security plans and related operational documents.
  • Clear Roles and Responsibilities. Establishing clear cybersecurity-related roles and responsibilities can help position the enterprise to respond efficiently and effectively to cyber risk, for example by ensuring that corporate executives, the legal team, and key personnel such as the as the Chief Information Security Officer, the Chief Information Officer, the Chief Compliance Officer, and the Chief Privacy Officer are on notice of their respective roles and have clear guidance as to their duties both during “business as usual” operations and in the event that a potential cybersecurity incident occurs. 
  • Cybersecurity Incident Response Plans. Developing a cybersecurity Incident Response Plan (or “IRP”) is a leading cybersecurity industry practice and may even be a regulatory requirement for certain companies. IRPs are “playbooks” that are developed prior to a cybersecurity incident occurring to provide guidance for responsible stakeholders to respond to a potential incident and guide the company through that response in an organized and effective way.  IRPs typically include key components, such as individuals’ and teams’ roles and responsibilities, contact lists, details about the internal escalation process (e.g., regarding notifications to government entities), and guideposts for technical teams.  Companies may supplement their IRPs with supporting materials, for example check lists for key executives and personnel, and take steps to integrate their IRPs with other related policies, such as all-hazards crisis management plans and communications plans.
  • Cybersecurity Tabletop Exercises. Tabletop exercises are simulations designed to test a company’s response to a potential cybersecurity incident and application of their Incident Response Plan.  These exercises are often facilitated by counsel and conducted under privilege.  Notably, the Ponemon Institute, in a report issued by IBM Security, reported that companies that had incident response teams and tested their Plans with tabletop exercises or simulations incurred an average of $2.66 million less in data breach-related costs than those that did not. 
  • Supply Chain Risk Mitigation. A company’s supply chain can heighten exposure to cyber threats, including data leaks, supply chain breaches, and malware attacks; however, strategies to mitigate these risks are available, for example implementing protocols to continually assess and monitor third-party risk, understanding and controlling who has access to the company’s most valuable and sensitive data, and ensuring that third-party contracts include cybersecurity requirements.  The federal government has acknowledged the importance of addressing such supply chain risk, and 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, and a 2022 OMB Memorandum both impose standards on governmental entities for the security and integrity of the software supply chain, and also require third-party software suppliers to comply with standards issued by the National Institute of Standards and Technology whenever their software is used on government information systems or affects government information, including that shared with government contractors.
  • Information Sharing Opportunities. Last March, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requiring critical infrastructure to report significant cyber incidents and ransomware payments to the Cybersecurity & Infrastructure Security Agency (CISA) within tight time frames.  Although CISA has not yet promulgated the rules to implement CIRCIA, it has provided stakeholders with guidance about sharing cyber event information that emphasized the importance of information sharing to our collective defense and for strengthening cybersecurity for the nation. In addition to federally mandated information sharing requirements, companies may also consider sharing information in a trusted setting, including with their Information Sharing and Analysis Centers (ISACs). 

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

The European Commission launched the formal process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework on December 13, 2022. The framework will replace the Privacy Shield, which was invalidated by the Court of Justice of the European Union’s (“CJEU”) Schrems II ruling on July 16, 2020 (CJEU C-311/18, discussed in this client alert). The draft adequacy decision aims to foster transatlantic data flows and to address the concerns raised in Schrems II. The draft adequacy decision is therefore important for businesses on both sides of the Atlantic.

An adequacy decision is a formal decision by the European Commission which recognizes a comparable level of personal data protection to that of the European Union in a non-EU country, territory, or international organization. As a result of such decision, personal data can flow freely and safely from the European Economic Area (“EEA”) to that recognized location without being subject to any further conditions or authorizations.

The EU’s proposal to launch a formal process to adopt an adequacy decision follows President Biden’s decision to sign an Executive Order in October 2022 which introduced new binding safeguards that address concerns raised in Schrems II. In Schrems II, the CJEU held that the U.S. Privacy Shield did not provide protection that was “essentially equivalent” to that of the EU because EU residents did not have effective remedies for privacy violations and because U.S. intelligence agencies had access to the data that was too-broad. As a reaction to invalidating the Privacy Shield, the Executive Order now imposes limitations and safeguards on access to data by U.S. intelligence agencies and establishes an independent and impartial redress mechanism.

President Biden’s Executive Order forms an essential element of the draft adequacy decision and the European Commission’s assessment that the U.S. legal framework now ensures an adequate level of protection of personal data transferred from EU organizations to U.S. certified organizations.

More specifically, the European Commission considers that:

  • The EU-U.S. Data Privacy Framework Principles, including the Supplemental Principles, issued by the U.S. Department of Commerce (“Principles”, see annex I of the draft adequacy decision) ensures effective protection that is essentially equivalent to the protection guaranteed by the GDPR;
  • The effective application of the Principles is guaranteed by transparency obligations and the administration of the EU-U.S. Data Privacy Framework by the U.S. Department of Commerce;
  • The oversight mechanisms and redress avenues in U.S. law enable infringements of data protection rules to be identified and punished in practice and offer legal remedies to data subjects (including EU residents) to exercise their data subject rights; and that
  • Any interference in the public interest by U.S. public authorities, particularly for criminal law enforcement and national security purposes with the fundamental rights of data subjects will be limited to what is necessary and proportionate to protect national security, and that effective legal protection against such interference exists.

To benefit from the draft adequacy decision, U.S. companies will have to certify that they are participating in the EU-U.S. Data Privacy Framework on an annual basis.

The draft adequacy decision will now be reviewed by the European Data Protection Board, and by a committee composed of representatives of EU Member States under the comitology procedure. The European Parliament also has a right to scrutinize the draft adequacy decision and may do so. The European Commission can adopt the final version of the adequacy decision only after all these stakeholders have given a green light to the draft. Once the final decision is published, which is not expected before spring 2023, European companies will be able to rely on this framework for sharing data with certified companies in the U.S.

One final note: an adequacy decision is not the only mechanism to legitimize international data transfers. Companies can still rely on other transfer tools for transfers to the U.S., such as the standard contractual clauses for international data transfers adopted by the European Commission last year. The European Commission emphasizes that the safeguards that the U.S. Government has put in place in the Executive Order, namely the limitations and safeguards to data accessed by U.S. intelligence agencies will be available for all EU-transfers to U.S. organizations, regardless of the mechanism used for the specific transfer. Companies relying on the standard contractual clauses for their international transfers to the U.S. will consequently benefit from these provisions as well.

Crowell and Moring will continue to follow developments on these issues and provide ongoing updates.

On November 10, 2022 the European Parliament adopted a resolution on esports and video games. In this resolution the European Parliament calls on the Commission and the Council to acknowledge the value of the video game ecosystem as a major cultural and creative industry (“CCI”) with strong potential for further growth and innovation. The video game ecosystem has become a leading CCI all over the world, with an estimated European market size of EUR 23,3 billion in 2021, including more than 4 900 game studios and 200 game publishers. It has great potential for growth, innovation, creativity and triggering positive change for the whole CCI sector, but, the resolution suggests, would benefit from additional harmonized data, definitions and legal frameworks required to enable them to embrace their full potential.

The European Parliament envisages a long-term European video game strategy, which should benefit all actors involved fairly and adequately, while considering the particularities of video game competitions in order to support EU actors and EU start-ups in the sector. The resolution notes that European video game industry is mainly made up of small and medium-sized enterprises of vital importance to the European economy. In 2020, the industry deployed approximately 98 000 people in Europe, of whom only an estimated 20% are women. Getting more women into video games and esports is a strategic priority for the European Parliament.

Definition of esports

The resolution defines ‘esports’ as “competitions where individuals or teams play video games – typically in front of spectators – either in-person or online, for entertainment, prizes or money”. The definition of esports encompasses a human element (the players), a digital element (the games), and a competitive element (the competition).

Benefits of esports and video games

Esports are an increasingly popular entertainment activity. Owing to their wide audience and digital component, video gaming and esports have significant social and cultural potential to connect Europeans of all ages, genders and backgrounds, including older people and people with disabilities. Moreover, video games and esports have great potential to further promote European history, identity, heritage, values and diversity through immersive experiences, and the European Parliament believes that they also have the potential to contribute to the EU’s soft power.

Furthermore, the European Parliament recognizes the great potential of video games and esports for use in EU educational policies and lifelong learning. Video games in the classroom often encourage students to pursue careers in science, technology, engineering, arts and mathematics, and esports can help to develop several skills that are essential in a digital society. The European Parliament insists that video games and esports can be a valuable teaching tool for actively involving learners in a curriculum and for developing digital literacy, soft skills and creative thinking.

Challenges for a truly integrated European esports and video game sector

The European Parliament sets out different areas that could be addressed by the European Commission and the Council for the creation of a truly integrated European esports and video games sector. These include, amongst others:

  1. The need to safeguard esports from problems with match-fixing, illegal gambling and performance enhancement, including doping;
  2. The protection of data privacy and cybersecurity challenges, without losing sight of the esports phenomenon;
  3. Fair consumer monetization of video games through micro-transactions, in-game currencies and loot boxes to ensure robust consumer protection;
  4. The protection of video game IP and the cross-border enforcement of IP rights of game producers;
  5. The ongoing battle against stereotypical representation of women in video games, and in general, the promotion of a framework for attaining greater equality for women in all positions in the value chain.

Need for a charter to promote European values in esports

Finally, the European Parliament distinguishes esports from sports, not least because the video games used for competitive gaming (i.e. esports) are played in a digital environment and belong to private entities that enjoy full legal control and all exclusive and unrestricted rights over the video games themselves.

Howeverthe European Parliament stresses that it believes that both sectors can complement and learn from each other and promote similar positive values and skills, such as fair play, non-discrimination, teamwork, leadership, solidarity, integrity, antiracism, social inclusion and gender equality. To this end, the European Parliament calls on the Commission to develop a charter to promote European values in esports competitions, in partnership with publishers, team organizations, clubs and tournament organizers.

Crowell & Moring will continue to follow (e)sports-related initiatives and provide ongoing updates.

In a judgment of August 1, 2022, the Court of Justice of the European Union (CJEU) provided further guidance on two important aspects of the General Data Protection Regulation (GDPR) (CJEU C-184/20). In summary, the CJEU held that, first, for a national law that imposes a legal obligation to process personal data to be able to constitute a legal basis for processing, it needs to be lawful, meaning that it must meet an objective of public interest and be proportionate to the legitimate aim pursued, and second, that non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of personal data.

The judgment followed the request for a preliminary ruling from the Vilnius Regional Administrative Court (Lithuania) concerning a Lithuanian anti-corruption law that required individuals working in the public service and the public interests of society to declare their private interests by lodging a declaration of private interests. The declarant was obliged to provide details about him- or herself and his or her spouse, cohabitee or partner, such as name, personal identification number, employment status, membership or undertakings, and information about certain financial transactions. Most of this information, including the name of the declarant’s partner, was published by the Chief Official Ethics Commission on a public website.

The main take-aways from the judgment can be summarized as follow.

I. A national law that imposes a legal obligation to process personal data can only constitute a legal basis for processing when it meets an objective of public interest and is proportionate to the legitimate aim pursued

The CJEU recognizes that the Lithuanian law that required the declaration of private interests serves an objective of public interest, i.e. guaranteeing the proper management of public affairs and public property, by ensuring that public sector decision makers perform their duties impartially and objectively and preventing them from being influenced by considerations relating to private interests. Combating corruption is an objective of public interest and, accordingly, legitimate.

On the other hand, the CJEU emphasizes that Member States need to consider the principle of proportionality in setting out the requirements for achieving such a legitimate objective. This means that the measures to achieve the objective need to be appropriate, adequate and strictly necessary.

While the measure—the declaration of private interests—is appropriate for contributing to the achievement of the objectives of general interest that it pursues, it is not strictly necessary to publish the content of the declarations of private interest on a public website. The objective could be achieved as effectively if the Chief Ethics Commission would review the content of the declarations instead of publishing them. Not having sufficient human resources to check effectively all the declarations cannot justify the publication of the declarations.

Moreover, an objective of general interest may not be pursued without having regard to the fact that it must be reconciled with the fundamental rights affected by the measure. This means that, for the purpose of assessing the proportionality of the processing, it is necessary to measure the seriousness of the interference with the fundamental rights to respect for private life and to the protection of personal data that that processing involves and to determine whether the importance of the objective of general interest pursued by the processing is proportionate to the seriousness of the interference.

In this context, the CJEU stresses a number of contextual elements. First, the public disclosure, online, of name-specific data relating to the declarant’s partner, or to persons who are close relatives of the declarant, are liable to reveal information on certain sensitive aspects of the data subjects’ private life, including, for example, their sexual orientation. Second, the declaration also concerns persons who are not public sector decision makers, but who are related to the declarant in another than his/her public sector capacity, and in respect of whom the objectives pursued by the law are not imperative in the same way as for the declarant. Third, the cumulative effect of the personal data that are published may still increase the seriousness of the infringement, since combining them enables a particularly detailed picture of the data subjects’ private lives to be built up. The CJEU further points out that the publication of the content of the declaration implies that the personal data are made freely accessible on the internet to the whole of the general public and, accordingly, to a potentially unlimited number of persons.

All this leads to a serious interference with the fundamental rights of data subjects to respect for private life and to the protection of personal data. The seriousness of that interference must be weighed against the importance of the objectives of preventing conflicts of interest and corruption in the public sector. In that regard, the CJEU confirms again the great importance of the objective of combating corruption, but concludes that the publication online of the majority of personal data contained in the declaration of private interests of any head of an establishment receiving public funds, does not meet the requirement of a proper balance. The interference following from the publication of the declaration is considerably more serious than the interference that would follow from a declaration coupled with a check of the declaration’s content by the Chief Ethics Commission. The court stresses that it is up to the Member State to ensure the effectiveness of such check with the means necessary for that purpose.

II. Non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of data

As set out above, the declaration of private interests also contained details about individuals that are related to the declarant. Some of these details, such as the name of the partner of the declarant, are liable to reveal information on certain sensitive aspects of the data subjects’ private life, such as their sexual orientation. The CJEU recognizes that non-sensitive personal data may reveal indirectly, following an intellectual operation involving deduction or cross-referencing, sensitive personal data that are protected by a strengthened protection regime.

In this regard, the CJEU first confirms the wide interpretation of the terms “special categories of personal data” and “sensitive data”, and consequently rules that personal data that are liable to disclose indirectly special categories of personal data of a natural person, need to be protected by the strengthened protection regime for processing of special categories of personal data, if the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure are not to be compromised.

III. Key points to remember

  1. Even where processing can be based on a legal obligation to which the controller is subject, the legal obligation may not constitute a legal basis if it, in itself, is not lawful.
  2. A lack of resources cannot justify a controller’s choice for achieving a legitimate aim with more intrusive means.
  3. Non-sensitive data may reveal indirectly, following an intellectual operation involving deduction or cross-referencing, sensitive personal data.
  4. Personal data that are liable to reveal sensitive data need to be protected by the strengthened protection regime for processing of special categories of personal data.

Crowell and Moring will continue to follow developments on these issues and provide ongoing updates.

The DOJ has long expressed concern about the impact of personal messaging – in particular of encrypted and ephemeral message apps – on its ability to effectively conduct investigations (and rely on the results of company investigations). Close on the heels of the well-publicized SEC enforcement sweeps of financial industry message retention practices, Deputy Attorney General Lisa Monaco recently issued a Corporate Crime Advisory Group Memo (the “Monaco Memo”) that articulates raised DOJ expectations for companies’ to retain and disclose employee personal device data. The DOJ’s expectations, however, may clash with practical limits on companies’ ability to control personal devices and with international data protection laws, and may increase companies’ preservation and disclosure risks in other proceedings.

Implementation of Personal Device and Third-Party Messaging Policies

In providing guidance to prosecutors on evaluating individual and corporate accountability, the Monaco Memo devotes an entire subsection to the “Use of Personal Devices and Third-Party Applications”. The Memo notes that the explosive growth in use for business purposes of personal smartphones, computers and other devices pose “significant corporate compliance risks” to a company’s and regulators’ ability to monitor misconduct and recover relevant data for an investigation.  A similar risk is posed by third-party messaging platforms, which may feature ephemeral and encrypted messaging.

A primary factor in prosecutors’ assessments of compliance is whether the corporation has taken sufficient steps to “ensure” it can timely preserve, collect and disclose “all non-privileged responsive documents … including … data contained on phones, tablets, or other devices that are used by its employees for business purposes.” Compliance programs must consider how that may be accomplished “given the proliferation of personal devices and messaging platforms that can take key communications off-system in the blink of an eye.” Markers of a robust compliance program include meaningful personal use policies, clear training and effective enforcement.  

Importance of Self-Disclosure

The DOJ wants to investigate and move to charging decisions quickly, and urges companies to structure their systems, processes and responses to this end. From the Miller Keynote: “Collectively, this new guidance should push prosecutors and corporate counsel alike to feel they are ‘on the clock’ to expedite investigations.… If a cooperating company discovers hot documents or evidence, its first reaction should be to notify the prosecutors”. Such “self-disclosure is often only possible when a company has a well-functioning Compliance Program that can serve as an early warning system and detect the misconduct early.” Ironically, the DOJ reportedly is simultaneously instructing prosecutors to “collect less evidence” because it purportedly is drowning in data. The DOJ seems to be looking to square this circle by increasing reliance on companies to review the expected torrent of personal device data that requires collection and assessment, and make rapid self-disclosures.

Impact of Foreign Data Privacy Laws

The Monaco Memo also makes clear that companies are expected to work hard to overcome any impediments to full disclosure posed by international and regional data privacy and protection laws. When faced with such conflicts, “the cooperating corporation bears the burden of establishing the existence of any restriction on production and of identifying reasonable alternatives to provide the requested facts and evidence, and is expected to work diligently to identify all available legal bases to preserve, collect, and produce such documents, data, and other evidence expeditiously.”

While not instructing companies to ignore foreign laws, the DOJ will credit companies that can successfully navigate such issues and produce relevant documents. Moreover, it cautions against any company that “actively seeks to capitalize on data privacy laws and similar statutes to shield misconduct inappropriately from detection and investigation by U.S. law enforcement,” noting that prosecutors may draw “an adverse inference as to the corporation’s cooperation … if such a corporation subsequently fails to produce foreign evidence.” Companies in this predicament are well advised to proactively consult with experienced cross-border data transfer counsel as to their obligations and options for response.

Does this mean companies have to be in control of their employees’ phones?

Companies revisiting their BYOD and compliance policies in light of the Monaco Memo will need to be alert for unintended consequences. There can be tension between expectations of aggressive corporate compliance measures and companies’ actual ability to control and access personal devices, as well as litigation risks and duties that may accompany such control. In some jurisdictions there may be no obligation to preserve and collect data from employee phones absent a “legal right” to obtain it (e.g., through contract or policy), while other courts hold that a company’s “practical ability” to obtain the data from the employee may suffice. See generally The Sedona Conference, Commentary on Rule 34 and Rule 45 “Possession, Custody, or Control,” 17 Sedona Conf. J. 467 (2016). For example, the court in In re Pork Antitrust Litig., No. 18-CV-1776 (JRT/HB), 2022 WL 972401 (D. Minn. Mar. 31, 2022) recently refused to compel a defendant to produce employee text messages because, inter alia, its BYOD policy did not expressly provide for company ownership of the texts or its right to access personal phones to obtain them. The court also reasoned that defendant “should not be compelled to terminate or threaten employees who refuse to turn over their devices for preservation or collection”. After the Monaco Memo, that is perhaps not the approach a prosecutor would take to a company looking for cooperation credit.

Takeaways

This wave of regulatory guidance and activity (more is forecast to be issued soon) reflect the DOJ’s emphasis on holding individuals accountable for corporate misconduct, and its need to fill off-channel gaps in the ability to perform such assessments. Cooperating corporations are expected to show sustained and comprehensive efforts to ensure that even occluded data sources like personal devices and messaging applications used for business are available for monitoring, review and disclosure. Companies should consider updating their policies to limit business communications to onboarded systems and platforms that are subject to retention; provide a process for spotting and reviewing business messages that nevertheless go through non-conforming channels; as well as providing enhanced training, auditing and enforcement. Compliance programs should be tested to confirm their effectiveness in the field, and not just on paper. To really motivate action, the DOJ is urging that executives have skin in the game – to tie compensation and promotion decisions to their fidelity to corporate use and retention policies. This would occasion a significant change in culture for many companies.

On October 7, 2022, President Biden signed an executive order implementing the EU-U.S. Data Privacy Framework.   Announced in March, this framework replaces the Privacy Shield program that the EU Court of Justice invalidated in July 2020 with its Schrems II decision. That decision stated that the United States did not provide a level of data protection that was “essentially equivalent” to that provided within the EU because signal intelligence surveillance by U.S. agencies was considered too broad and EU residents were not provided with effective remedies.  

The new framework is intended to facilitate the cross-border transfer of personal information from the EU to the U.S. in compliance with the EU’s General Data Protection Regulation (GDPR).  The executive order specifically addresses the process by which the U.S. intelligence community handles the personal data of EU residents and responds to complaints from EU residents.  Detailing the commitments made in the March announcement, the executive order provides the basis for the EU to proceed with an “adequacy” decision under the GDPR regarding cross-border data transfers.  With these additional protections in place, it is expected that a revised cross-border transfer framework can be finalized in the next few months.

According to the White House Fact Sheet accompanying the March announcement, the new framework requires that U.S. intelligence agencies may only conduct data-gathering operations that are necessary to advance legitimate national security objectives, and which do not disproportionately impact individual privacy and civil liberty interests.   The independent Privacy and Civil Liberties Oversight Board is charged with reviewing the U.S. intelligence community’s implementation of the new principles and procedures, including the outcome of redress decisions, and conducting annual compliance reviews.

The revised framework establishes a multi-tiered process by which EU residents can seek redress for alleged violations, replacing the government “ombudsperson” process rejected as inadequate by the EU court.  As a first step, EU residents can lodge complaints with the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence, who will perform an initial investigation and make binding decisions.  As a second level of review, the U.S. Department of Justice will establish an independent Data Protection Review Court comprised of independent judges who will review the CLPO’s decisions and “have full authority to adjudicate claims and direct remedial measures as needed.”   EU residents may file complaints via “special advocates” to represent their interests.

More than 5,300 companies participated in the Privacy Shield program before it was invalidated. Further, the decision invalidating Privacy Shield raised concerns about the adequacy of alternative data transfer mechanisms, including standard contractual clauses and binding corporate rules.  The safeguards and provisions contained in the March announcement and October 7 executive order would also apply to data transferred under these alternative mechanisms.

The next step is for the EU to conduct a determination as to whether the U.S. commitments meet GDPR’s “adequacy” standard for the transfer of personal data, a process anticipated to take about six months.  Once ratified by the European Commission, participation in the revised framework will require that companies self-certify their adherence with the U.S. Department of Commerce.  Although any adequacy determination is likely to be challenged in the EU courts, the new framework will create much greater certainty for the many organizations that depend on cross-border data flows to drive the trillions of dollars in annual cross-border commerce. 

Crowell and Moring will continue to follow developments on these issues and provide ongoing updates.