A federal court the end of last week dismissed a litigation challenging the U.S. Postal Service’s (“USPS”) use of facial recognition and related technologies to collect personal data, finding that the group which filed the claims lacked standing.  Electronic Privacy Information Center v. United States Postal Service et al., Case No. 1:21-cv-02156 (D.D.C.).  As it is anticipated the use of facial recognition and AI will continue to be challenged by plaintiffs and other parties in privacy litigations going forward, the resolution in this particular dispute is relevant for other cases, particularly insofar as government activity in this space is concerned.  Read on to learn more.

In August of last year the Electronic Privacy Information Center (“EPIC”) filed on behalf of itself and its members alleging that the USPS failed to comply with the E-Government Act.  This law, which was enacted in 2002, was designed to improve the Government’s use of information technology “in a manner consistent with laws regarding protection of personal privacy, national security . . . and other relevant laws.”  116 Stat. 2899, 2901 (2002) (Act), codified at 44 U.S.C. § 3501.

As relevant to this litigation, Section 208 of the E-Government Act requires an agency to conduct, review, and, “if practicable,” publish a privacy impact assessment (“PIA”).  The agency must take these steps before it collects “information in an identifiable form permitting the physical or online contacting of a specific individual,” if the agency imposes the same reporting requirements on “10 or more persons.”  As reported elsewhere publicly, since at least 2018 USPS has had in place the Internet Covert Operations Program (“iCOP”).  iCOP facilitates the identification of individuals and organizations who use “the mail or USPS online tools” for illegal purposes.  As part of iCOP, USPS monitors social media posts for threats of violence and uses facial recognition to identify potential threat actors.

In May 2021, EPIC submitted a Freedom of Information Act request seeking a PIA for the facial recognition and social media monitoring systems used by iCOP.  USPS conducted a search but failed to locate a PIA.  EPIC renewed its request but never received a response.  EPIC subsequently filed suit under the Administrative Procedure Act alleging that USPS began using iCOP without conducting a PIA as EPIC claimed was required under the E-Government Act.  Similarly, EPIC also asserted claims for “agency action unlawfully withheld” for the same conduct and additionally sought a writ of mandamus compelling USPS to “conduct and publish” a PIA and suspect iCOP until such an assessment was completed.

USPS moved to dismiss the litigation for lack of standing and for failure to state a cognizable claim.  The Court agreed, finding that “[t]he Court begins and ends with standing” as “[t]here is no justiciable case or controversy unless the plaintiff has standing.”

Article III standing is required to establish a federal court’s subject matter jurisdiction over a particular dispute.  This requires that a plaintiff “must show (1) it has suffered a concrete and particularized injury (2) that is fairly traceable to the challenged action of the defendant and (3) that is likely” redressable by a favorable decision from the Court.

In this instance, EPIC argues that it had organizational standing on its own behalf and additionally associational standing on behalf of its members.  The Court found either bases inadequate.

First, EPIC can claim organizational standing in the case, the Court found, only if “if [USPS’] actions cause a concrete and demonstrable injury to [EPIC’s] activities that is more than simply a setback to the organization’s abstract social interests.”  More specifically, the Court held, for a purported informational gap to constitute an injury in fact, EPIC must allege that “(1) it has been deprived of information that, on its interpretation, a statute requires the government or a third party to disclose to it, and (2) it suffers, by being denied access to that information, the type of harm Congress sought to prevent by requiring disclosure.”

Consistent with its rulings in two other cases, the Court held that failure to publish a PIA does not create an informational injury sufficient for standing.  This included, among other reasons, that Section 208 of the E-Government Act is intended to protect individuals (by protecting individual privacy).  As such, the Court held, an asserted informational injury under Section 208 “cannot satisfy the second step” of the test for an informational injury in fact.  Noting that EPIC’s position had already been twice rejected in two related cases, the Court chastised EPIC’s attorneys stating that “[t]he Court reminds EPIC’s attorneys to scrupulously adhere to their Rule 11 obligations in future cases.”

Second, the Court held that the same analysis likewise precluded individual EPIC members from establishing Article III standing.  This was because, the Court explained, an informational injury is “not the “harm Congress sought to prevent through Section 208,” among other reasons.  Nor was the Court convinced that EPIC members had suffered injuries to their privacy—particularly when, as here, EPIC was merely alleging a bare procedural violation of the E-Government Act.  This was because, the Court explained, privacy injuries “ordinarily stem from the disclosure of private information.”  Here, by contract, EPIC made no allegation whatsoever that USPS has disclosed any information of EPIC members or was likely to do so at some future point in time.

The Court dismissed EPIC’s claims for lack of standing.  This case is a reminder that regardless of context, the requirement that a plaintiff establish at all stages of a proceeding Article III standing in data privacy and cybersecurity litigations is burdensome.  Moreover, this litigation is yet another example of mere procedural violations of a privacy statute cannot suffice for purposes of Article III.  Federal courts have shown a willingness to dismiss data privacy cases at the pleadings stage for lack of standing and this most recent ruling is another example of this trend.

For more on this, and for other developments concerning facial recognition and AI, stay tuned.  CPW will be there to keep you in the loop.

 

In Bradenberg v. Meridian Senior Living, LLC, No. 20-cv-03198 (C.D. Ill. Sept. 30, 2021), another BIPA complaint this year proceeded past the complaint stage, as the Court found that Plaintiff’s allegations were sufficient to state a claim.  While open ended questions remain regarding the statute’s scope and damages provisions (some of which may be shortly addressed by the Seventh Circuit), this trend underscores ongoing litigation risk for entities regulated under the statute.

As a short recap, BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared.  740 ILCS 14/10.  Biometric identifiers are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id. (collectively, with “biometric information,” “biometric data”).  The statute includes a private right of action and liquidated statutory damages.

Plaintiff’s allegations were relatively typical of BIPA actions, particularly those arising in the employment context: Plaintiff was an employee of defendant, a senior living facility that required its employees to scan their fingerprints at the beginning and end of each shift. Plaintiff alleged that each time she scanned her fingerprint, her personal identifying information (“PII”) was disclosed to defendant’s timekeeping vendor without her consent.

Defendant claimed that Plaintiff had failed to plead the requisite state of mind for BIPA violations, based on the four remedies available in Section 14/20 of BIPA that are available to plaintiffs who prevail on their claims. Two out of the four remedies—both liquidated damages—are available when a defendant acts with a specific state of mind, either negligently or willfully. The Court noted that the four types of remedies available were only a “menu” of remedies, and not a list of the necessary elements of a BIPA claim. Two of the remedies—attorney’s fees and costs and “other relief, including an injunction”—could be awarded without any state of mind requirements.

The Bradenberg Court additionally found that Plaintiff’s claims were timely brought. While defendant had claimed that Plaintiff’s state law claims either fell under a one-year statute of limitations—for publication of matter violating the right to privacy—or a two-year statute of limitations—for personal injury suits—the Court found that BIPA claims did not fit neatly into either of those two categories of suit, and instead found that Illinois’ general five-year statute of limitations applied. Because Plaintiff alleged violations beginning in 2017 and she filed her claims in 2020, those claims were timely.

As the Central District of Illinois has previously found, the Bradenberg Court also affirmed that Plaintiff’s BIPA claims were not preempted by the Illinois Workers Compensation Act (“IWCA”), as Plaintiff claimed an injury to her right to privacy and only physical or psychological injuries were compensable under the IWCA. Lastly, the Court found that defendant’s implied assumption of risk defense did not apply because BIPA is a strict liability statute.

Bradenberg is the latest to uphold a five-year statute of limitations for certain BIPA claims, and rejects a somewhat creative defense in affirming that Section 14/20 of BIPA is a list of remedies, rather than a list of necessary elements for a claim. We’ll continue to monitor all things BIPA for you at CPW.  Stay tuned.

In re Mednax Services, MDL No. 2994, is an MDL (multidistrict litigation) pending in the Southern District of Florida, currently in its early stages.  2021 U.S. Dist. LEXIS 195342, *8-9 (S.D. Fla. Oct. 9, 2021).  In a striking move late last week, a federal court ordered a stay of the proceedings pending resolution of the Defendants’ motion to dismiss for lack of standing and failure to plead a cognizable claim.  Is this the start of a new data privacy litigation trend or an aberration?  Read on to learn more.

As a reminder, the MDL process permits centralization of related disputes in front of a single federal court.  28 U.S.C. Section 1407(a) provides that:

When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings. Such transfers shall be made by the judicial panel on multidistrict litigation authorized by this section upon its determination that transfers for such proceedings will be for the convenience of parties and witnesses and will promote the just and efficient conduct of such actions . . . .

28 U.S.C. §1407(a). Once an MDL is created by the Joint Panel on Multidistrict Litigation (“JPML”), all cases related to the MDL are transferred to a single court.  That MDL court then administers the related cases until they reach a point that the efficiencies of the consolidated proceedings are exhausted.  Like a class action, the individual cases are closely related enough that there are significant overlapping factual and legal issues.  But unlike a class action, there are enough differences between the plaintiffs’ claims that the proceedings can’t be consolidated for all purposes.  Hence, the MDL.

In this litigation, the Mednax Defendants are healthcare providers whose patient information—encompassing nearly 1.3 million patients—was accessed by a third party.  The Mednax Plaintiffs sued on behalf of themselves and their minor children, claiming that this data event exposed them to various harms.  Specifically, they asserted that Defendants failed to properly secure said personal health information.  Further, they alleged that Defendants’ response to the healthcare data breach resulted in additional harm to Plaintiffs and their minor children.  The operative complaint contains nine different state-law claims based on fourteen separate state statutes (for breach of implied covenant, violations of state and consumer laws, breach of implied contract, negligence, negligence per se, invasions of privacy, breach of fiduciary duty, and negligent training and supervision) on behalf of thirteen potential classes and subclasses of Plaintiffs.

Defendants globally moved to dismiss both on substantive grounds under Rule 12(b)(6) and lack of standing under Rule 12(b)(1).  At the time Defendants moved to dismiss, discovery was ongoing.  Defendants, however, tried a tactic that is deeply unusual in the MDL context: seeking a stay of discovery pending a ruling on their dispositive motion. Suffice to say, blanket stays of discovery in MDLs are highly unusual.  This is for the simple reason that because MDL discovery is often focused on global issues, courts can readily justify continuing discovery even if the nature of the claims or the litigants might change.  Here, however, Defendants’ challenge worked.

The operative Mednax complaint covered the entire MDL, consolidating all claims of all Plaintiffs into a single interrelated pleading.  On review of the complaint and the pending motion to dismiss, the Court determined that discovery should be stayed because of the significant deficiencies in the Complaint.  According to the Court, not only did the pending motion to dismiss have a strong chance of success on at least some arguments, if the Defendants obtained the relief they sought, many claims and many Plaintiffs would be gone from the litigation, which would “drastically alter the scope of discovery.”  Likewise, the Court determined in line with Eleventh Circuit precedent that challenges to standing should be resolved before discovery commences to conserve resources in the litigation.

MDLs are expensive, time-consuming propositions in the best of circumstances, and are even more so where discovery progresses even while the parties are addressing flawed or deficient theories of liability and injury.  Many MDL courts embrace the philosophy that the best way to bring a resolution to the disputes is to keep the proverbial ball rolling, always keeping discovery moving.  The Mednax opinion is potentially a game changer, particularly in light of increasingly consolidated pleading practices in MDLs.  Staying discovery to determine what discovery will actually be needed is a common-sense solution to the administrative challenges in MDLs, and we will keep an eye on this case and other MDLs to see if this process gains traction.  Stay tuned.

 

CPW has been covering recent data privacy developments in China and this month CPW’s Scott Warren and Lindsay Zhu provided their insights to Bloomberg Law on this topic.  As covered at Bloomberg, “China’s new Personal Information Protection Law imposes additional requirements for multinational companies in the region, adding legal and regulatory challenges for businesses already grappling with U.S. state-level and European privacy regimes.  The law, which takes effect Nov. 1, requires businesses to conduct impact assessments and honor consumer data rights requests. It may complicate cross-border data transfers, attorneys say.  ‘If you’re an international business and want to move data in and out of China, you need to think deeply about this law,’ said Scott Warren, a Tokyo- and Shanghai-based partner at Squire Patton Boggs LLP.  ‘The penalties are significant, and there’s a private right of action.'”

You can read the full article with Warren’s and Zhu’s comments here.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

Federal Court Gives Preliminary Approval of $92 Million TikTok MDL Settlement Over Objections – Consumer Privacy World

California Privacy Agency Announces Appointment of Executive Director Ashkan Soltani – Consumer Privacy World

Ex-FTC Tech Leader Picked To Head Calif. Privacy Agency-CPW’s Alan Friel Talks to Law360 – Consumer Privacy World

Key Themes From California Attorney General’s Examples of CCPA Non-Compliance: Join CPW’s Alan Friel October 15 at 1:45 pm EST – Consumer Privacy World

Cyberattacks and the Energy Sector: CPW’s Kristin Bryan Talks to ITPro – Consumer Privacy World

Federal Court Grants Motion for Judgment on the Pleadings In FCRA Litigation – Consumer Privacy World

California Privacy Agency Moves Forward With Rulemaking Process – Consumer Privacy World

European Data Protection Board Establishes Cookie Banner Taskforce, Which Will Also Look Into Dark Patterns and Deceptive Designs – Consumer Privacy World

The California Privacy Protection Agency (CPPA) Board, created by the California Privacy Rights Act (CPRA), has been busy of late. As we recently reported, the CCPA has hired renowned privacy technologist Ashka Soltani as its new Executive Director to lead the agency. Meanwhile, the agency’s committees have been hard at work. The Regulations Subcommittee has proposed its framework for its rulemaking process. Notably, the subcommittee recommends an immediate start to pre-rulemaking activities such as issuing an invitation for comments, the creation of additional subcommittees, and the identification of informational hearing topics. A pre-rulemaking process gives the agency flexibility to hear from stakeholders outside of the formal and constrained process that will begin once the regulatory process officially commences. The framework also notes that the notice of proposed rulemaking, initial statement of reasons (ISOR), and text of the regulations should be published in winter 2021-2022, with public hearings taking place thereafter. This suggests that stakeholders have a short window of opportunity to take advantage of the pre-regulatory educational period. It will be interesting to see if the agency conducts the kind of “listening tour” the Office of Attorney General (OAG) went on across the Golden State by means of town halls prior to its California Consumer Privacy Act (CCPA) rulemaking process, or elects to spend its time in more intimate and concerted explorations.

You can read more about this development at Security & Privacy Bytes, here.

Uk media outlet ITPro has published an in-depth analysis of a rise in cyberattacks targeting the energy sector and CPW’s Kristin Bryan provided her insights for the article.  This trend spans both the US and Europe, as earlier in the year CPW covered the Colonial Pipeline (and resulting data event litigation)  where a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality.  The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.

You can read the ITPro article and check out Kristin Bryan’s comments here.

As reported in Law360, Ashkan Soltani “[a] prominent security researcher and former chief technologist at the Federal Trade Commission has been selected to lead the day-to-day operations at California’s new privacy protection agency, which will be the first authority in the U.S. to focus solely on policing how companies handle consumers’ personal data.” CPW’s Alan Friel, deputy chair of the data privacy, cybersecurity and digital assets practice at Squire Patton Boggs, told Law360 Monday that Soltani’s selection demonstrated the state’s commitment “to developing a first class data protection authority.”  “His credentials are simply beyond reproach, and having someone with Ashkan’s level of technical and regulatory agency experience will help the agency meet its goals and obligations,” said Friel, who’s based in California and specializes in counseling clients on compliance with the state’s privacy regimes.

Read the entire article here.

 

As Rosa BarceloMatus HubaLucia Hartnett and Bethany Simmonds discuss in greater detail here, “[t]he European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organization NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”.  The EDPB taskforce is established in accordance with Art. 70(1)(u) of the GDPR, which states that the EDBP must promote the cooperation and effective bilateral and multilateral exchange of information and best practices between SAs. The aim of this taskforce is to harmonize and coordinate the approach to investigating and responding to cookie banner complaints from NOYB. It remains to be seen how this will actually be done in practice and whether EDPB will limit the harmonization to procedural approach to the complaints, or whether it will also attempt to ensure consistent application of the underlying substantive rules.”

They provide a detailed analysis at the Security Privacy Bytes blog and comment that “the development of the taskforce could have a significant impact in streamlining the handling of the complaints it is set to investigate and could help companies better understand what is an acceptable pan-EU approach to cookie banners.”

In Green v. Innovis Data Solutions, Inc., 2021 US Dist LEXIS 176996 (N.D. Tex. Sep. 17, 2021), the plaintiff filed suit against Innovis Data Solutions (“Defendant”) and other entities arising out of Defendant’s conduct (or lack thereof) relating to Plaintiff’s tradeline with a financial institution as reported on Plaintiff’s consumer report, and alleges that Defendant violated 15 U.S.C. § 1681e(b) and 1681(i). Read on to learn more.

Plaintiff secured a mortgage for a piece of property located in Florida. The original mortgage was secured with a bank and then the mortgage was subsequently acquired by a third-party financial institution in 2006. In 2018, Plaintiff missed a mortgage payment, resulting in his account falling into delinquency. In response, the financial institution approved Plaintiff for a loan modification in September 2018. When November 2019 came around, Plaintiff obtained his credit report where he contends that there were some inaccuracies—including several late payments between January and July 2018. Plaintiff followed up by sending Defendant a dispute letter contending he “may have missed one payment, if that.” Plaintiff also requested Defendant “reinvestigate[]” his tradeline and report, “in the interim” that the account is “in dispute.”

Defendant responded to Plaintiff’s letter and included an updated credit report reflecting its removal of Plaintiff’s account with the financial institution. Defendant maintains that it contacted the financial institution regarding the dispute, but the financial institution verified the information it reported to Defendant regarding Plaintiff’s account delinquency. In response, Defendant deleted Plaintiff’s entire tradeline.

Plaintiff brought this suit against Defendant alleging it violated 15 U.S.C. § 1681e(b) and 1681(i). Defendant contends that these claims should be dismissed because it was authorized by the FCRA, as a matter of law, to delete.

How does the story end? Let’s discuss the law first.

As a reminder, the purpose of the FCRA is “to ensure fair and accurate credit reporting that protects consumers while meeting the needs of commerce.” For the Defendant to defeat a motion to dismiss under 1681e(b) a plaintiff must allege facts to show the court that:

  1. Inaccurate information was included on a credit report;
  2. Inaccuracy was due to the failure to follow reasonable procedures to assure maximum possible   accuracy;
  3. Injury was suffered; and
  4. Injury was caused by the inclusion of the inaccurate information.

The Court determined that Plaintiff alleged facts sufficient to show that there were inaccuracies on his credit report, meeting the first prong of the above test. However, Plaintiff did not allege facts to support his allegation that the inaccuracy on his disputed November 2019 credit report resulted from Defendant’s failure to follow reasonable procedures. Conversely, Plaintiff relied on statements that Defendant “knew or should have known,” and that “Plaintiff’s account status and payment history were inaccurate.” This is simply not enough to show that Defendant’s inaccuracy was due to itsfailure to follow reasonable procedures.

In addition, Plaintiff did not allege any facts to support his injury claims. Instead, Plaintiff alleged that he “suffered damages, including . . . denial attempts to refinance, loss in ability to finance goods, loss of credit, loss of ability to purchase and benefit from a credit, and suffering the mental and emotional pain, anguish, humiliation and embarrassment of credit denials.” Again, this is simply not enough. In short, Plaintiff has not alleged facts from which the court can reasonably infer Defendant violated Plaintiff’s rights pursuant to 1681e(b).

Plaintiff also claims that Defendant violated 15 U.S.C. § 1681i when it failed to reinvestigate and update Plaintiff’s credit report after he notified Defendant of the dispute. For the Defendant to defeat a motion to dismiss under 1681i, a plaintiff must allege facts to show the court that:

  1. [plaintiff] disputed the completeness or accuracy of an item of information contained in his consumer file and notified [defendant] directly of that dispute;
  2. [defendant] did not reinvestigate free of charge and either record the current status of the disputed information or delete the item from the file in the manner prescribed by Section 1681i(a)(5) within the statutory period;
  3. [defendant’s] noncompliance was negligent or willful;
  4. [plaintiff] suffered injury; and
  5. [plaintiff’s] injury was caused by [defendant’s] failure to reinvestigate and record the current status of the disputed information or delete the item from the file.

It is undisputed that Plaintiff sent Defendant a letter disputing the information about his account—meeting the first prong of the above test. Plaintiff, however, failed to allege facts sufficient to meet the remaining prongs of the above test. Plaintiff only alleged that Defendant “fail[ed] to conduct a lawful reinvestigation,” but he does not allege adequate facts to support this allegation. The Court indicates “[on] its own, this statement is conclusory.”

In addition, Plaintiff has not set forth sufficient allegations that Defendant (1) failed to comply with Section 1681i(a)(5) when it deleted his account or (2) that any noncompliance on Defendant’s behalf was negligent or willful. Further, Plaintiff has not alleged how the deletion of a tradeline reflecting missed payments and delinquency has caused him injury. Thus, the Court held that Plaintiff’s pleadings fail to allege that Defendant violated Section 1681i of the FCRA.