0
Photo of Uber sign on the windshield of a car.

Uber Fined $324 Million for Data Transfer Violations

What Happened?

On Monday, the Dutch Data Protection Authority (DPA) found that Uber will be fined over $324 million for violating a European Union data privacy law.[1] The Dutch DPA stated that Uber transferred personal data about its drivers to the United States without appropriate safeguards, violating the GDPR.[2] According to the decision, transfer tools to protect this data were not used during the two years that Uber sent personal data from the EU to its US headquarters.[3]

 

Uber is expected to appeal the ruling, and Michael Valvo, an Uber spokesperson, stated that the “flawed decision and extraordinary fine are completely unjustified.”[4] In 2018, the Dutch DPA fined Uber $1.2 million for failing to report a data breach in a timely manner.[5] Earlier this year, the Dutch DPA fined Uber $11 million for infringement of privacy regulations, also concerning the personal data of drivers working for Uber.[6]

 

What Can We Learn?

Uber’s fine is among one of the largest penalties issued under the GDPR, highlighting the strict enforcement and requirements of data protection law within the EU.[7] The chairman of the Dutch DPA, Aleid Wolfsen, stated that, “the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care” and that Uber’s violations were “very serious.”[8]

 

Enacted in 2016, the GDPR sets forth rigorous standards for transferring and managing personal data. Significant financial penalties have been issued to multiple technology companies, including Meta’s $1.3 billion fine in 2023 for similar violations.[9]

 

The Dutch DPA alleges that Uber failed to implement adequate protections as they were not part of the Data Privacy Framework.[10] Additionally, the Dutch DPA alleged that in August of 2021, the company stopped their use of Standard Contractual Clauses (SCCs).[11] Either of these methods may have resulted in Uber avoiding regulatory scrutiny.

 

Understanding the Data Privacy Framework

There are specific rules that apply to data transfers from the EU to the US.[12] Some businesses in the US are members of the Data Privacy Framework, a set of agreements about safe personal data transfers to the US.[13] If the organization belongs to the Data Privacy Framework, they are treated as having an equivalent level of data protection to the EU.[14] This means that those businesses can transfer EU personal data to businesses consistent with EU law and without additional transfer tools.[15] However, if the business is not part of the Data Privacy Framework, the company will have to take additional protective steps when transferring data.[16]

 

Understanding Standard Contractual Clauses

If the US-based business or entity does not participate in the Data Privacy Framework and does not fall within Article 49 derogations or another exception to data transfer requirements, then two additional requirements should be met to transfer personal data outside of the EU: 1) a transfer tool, and 2) additional measures to protect data must be taken as needed. Article 46 of the GDPR provides a list of transferring tools which provide “appropriate safeguards,” including Standard Contractual Clauses (SCCs).[17]

 

SCCs are model contracts approved by the European Commission which allow controllers and processors to comply with requirements of EU data protection law.[18] SCCs have highly specific data protection safeguards, so when they are used between companies, there is a contractual obligation that personal data will be treated with a high level of protection when transferred outside the EU.[19] Because these contracts are standardized, SCC’s are a “ready-made” tool, which are relatively easy to implement.[20]

 

The investigation into Uber arose after the Schrems II ruling, which invalidated the EU-US Privacy Shield due to insufficient data protection standards in the US.[21]  Despite this ruling, Uber continued transferring personal data of their drivers from the EU to the US without implementing SCCs or other safeguards, based on the argument that Chapter V of the GDPR, which covers transfers of personal data to other countries, did not apply.[22] Uber stated that their actions were exempted under Article 3(2), which defines the territorial scope of processing activities.[23] While Uber maintains that its data protecting policies and processes, found in its privacy notice, are sufficient, this investigation and initial ruling demonstrate the heightened scrutiny that US companies face when operating in the EU.

 

Update from 9/13/2024

The European Commission has launched public consultation on the new EU SCCs. This consultation is for clauses in specific cases where a data importer is located in a third country but is directly subject to the GDPR. Adoption of these guidelines is expected in Q2 of 2025.

 

[1] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[2] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[3] https://www.jurist.org/news/2024/08/netherlands-data-protection-authority-fines-uber-e290m-for-violating-eu-data-regulation/

[4] https://www.nytimes.com/2024/08/26/business/uber-netherlands-fine-driver-data.html

[5] https://www.ciodive.com/news/uber-hit-with-12m-in-fines-for-2016-data-breach/543017/

[6] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[7] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[8] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[9] https://www.metaverse.law/2023/05/22/meta-fined-for-data-transfer-violations/

[10] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[11] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[12] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[13] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[14] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721

[15] https://www.dataprivacyframework.gov/Program-Overview

[16] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[17] https://www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

[18] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[19] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[20] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[21] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/

[22] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop

[23] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop

0

California Invasion of Privacy Act (CIPA) – The Latest Privacy Litigation Trend

As more U.S. states enact comprehensive consumer privacy legislation, plaintiffs are turning to laws from the 1960s to pursue claims against companies that use website tracking technologies. Most notably, there has been a significant uptick in privacy litigation claiming that the use of website technology, such as session replay, chatbots, tracking pixels, and other analytics software, violates the California Invasion of Privacy Act (“CIPA”).

How We Got Here

Since 2022, a wave of class action lawsuits has been filed regarding Meta’s pixel, a tracking tool often used by companies for targeted advertising by tracking user activity. Many of these cases allege a violation of the Video Privacy Protection Act of 1988 (“VPPA”), a federal law prohibiting videotape service providers from knowingly disclosing personally identifiable information concerning their consumers. These lawsuits allege that companies which stream online video content on their websites while using the Meta pixel violated the VPPA by transmitting personally identifiable information about a website user to Meta. While many courts dismissed the VPPA Meta pixel cases, some of these cases (such as Ambrose v. Boston Globe Media Partners LLC[1]) have survived the motion to dismiss stage, leading the parties to settle instead.

Lawsuits involving the Meta pixel, along with similar technology, are also being filed under alleged violations of strong state wiretapping laws, such as the CIPA. The CIPA, which was enacted in 1961, intended to protect California residents from then-new technologies used for different kinds of wiretapping. In these modern-day cases, plaintiffs claim that the use of many web analytics tools amount to a violation of CIPA’s wiretapping and eavesdropping provisions.

Relying on a Ninth Circuit court decision which held that CIPA also applies to “internet communications”[2], plaintiffs’ firms circulated hundreds of demand letters threatening CIPA class action litigation under CIPA’s Section 631(a) – which prohibits third-party wiretapping – and Section 632.7 – which prohibits the interception or receipt and recording of certain wireless communications without consent. The statutory penalty is $5,000 per violation, making it an attractive avenue for plaintiffs’ firms.

Where We Are Now (Thanks to Greenley v. Kochava[3])

An even more recent decision from the United States District Court for the Southern District of California has prompted plaintiffs’ firms to turn to yet another theory and to file suits under alleged violations of CIPA Section 638.51. Section 638.51 prohibits the installation or use of a “pen register” or a “trap and trace device” without first obtaining a court order. A “pen register” is defined as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.

The plaintiff in Greenley v. Kochava claimed that the defendant’s software that was installed in third-party mobile applications constituted an illegally installed pen register by tracking a user’s “geolocation, search terms, click choices, purchase decisions, and/or payment methods,” collecting this tracked information, and then selling it to third-party advertisers. Deciding on a motion to dismiss, the Greenley court stated that while CIPA’s definition of a pen register was specific as to the type of data a pen register collects, it was “vague and inclusive as to the form of the collection tool – ‘a device or process.’” With this in mind, the Greenley court held that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.” Accordingly, the court denied the defendant’s motion to dismiss.

Following the Greenley court’s decision, over 50 new cases have already been filed in California state and federal courts under the CIPA pen register provision.

Where to Go from Here

Accordingly, businesses should evaluate their use of tracking software and technology, along with the disclosures in their privacy policy and potential consent mechanisms. The CIPA pen register provision allows a provider of electronic or wire communication services to use such a pen register if the consent of the user has been obtained. Although California courts have not yet interpreted consent in the context of the CIPA’s pen register provision, courts have found a user’s affirmative consent to be a successful defense in other CIPA claims.

 

[1] Ambrose v. Boston Globe Media Partners LLC, No. 1:22-cv-10195-RGS.

[2] Javier v. Assurance IQ LLC et al., 2022 WL 1744107, *1 (9th Cir. 2022).

[3] Greenley v. Kochava, Inc., No. 22-CV-01327-BAS-AHG, 2023 WL 4833466 (S.D. Cal. July 27, 2023).

0
Chicago Grand Central Looking Up

2024 U.S. regulatory enforcement priorities for data & AI

In late 2023 and early 2024, federal and state regulators signaled their enforcement priorities regarding the use of data and AI. These enforcement priorities range from sweeping investigations into entire labor sectors to targeting specific uses of technology.
FEDERAL

FTC. The FTC continues bringing actions against companies over their improper use of AI, increasing the risks of LLMs and generative AI. On March 8, 2024, the Federal Trade Commission (FTC) entered a stipulated order with Rite Aid prohibiting the pharmacy chain from using any machine-based systems to analyze biometric information. A month before, the FTC announced proposed rules combating the use of AI to impersonate individuals, which includes potentially imposing a rule that would declare it unlawful for an AI platform to provide goods or services that the platform knows or has reason to know is being used to harm consumers through impersonation.

SEC. In a surprising regulatory move, the Securities and Exchange Commission (SEC) took action against two entities that made misleading disclosures regarding their use of AI. On March 18, 2024, the SEC announced a $400,000 settlement against two investment advisers for making false and misleading statements about their purported use of AI. The investors allegedly stated in its SEC filings, in press releases, and on their websites that they were harnessing AI tools in certain ways, when in fact they were not. The SEC published an AI and investment fraud alert, signaling that they will likely continue monitoring AI-related disclosures.


CALIFORNIA

Data Minimization. On April 2, 2024, the California Privacy Protection Agency (the Agency) released its first Enforcement Advisory notice, emphasizing that covered businesses must apply the principle of data minimization to every purpose for which they collect, use, retain, and share personal information. Specifically, the Agency focused on the principle of data minimization during two scenarios: (1) responding to a consumer’s request to opt-out of sale/sharing and (2) verifying a consumer’s identity. Failure to adhere to the principle of data minimization may constitute a violation of the California Consumer Privacy Act (CCPA) and its regulations.

Amended CCPA Regulations. On March 29, 2024, the amended CCPA regulations will take effect and be enforceable. These regulations were originally supposed to take effect on March 29, 2023, but the California Chamber of Commerce filed suit on March 30, 2023, arguing that the amended regulations could not enter into force until one year after finalization. The court agreed, thereby effectively pushing the enforcement date back to March 29, 2024. However, a California appellate court subsequently reversed that decision, thereby making the regulations effective immediately.

The Agency and the California Attorney General have indicated that they anticipate aggressively enforcing the new regulations, and since covered entities had nearly an extra year to comply with the new regulations, California regulators may not be lenient in providing cure periods for noncompliance with the new regulations.

Streaming Services. On January 26, 2024, the California Attorney General announced investigative sweeps into “popular streaming apps and devices,” and sending letters to businesses that fail to comply with the CCPA. Specifically, the AG’s sweep focuses on whether streaming services are complying with the CCPA’s opt-out requirements for selling or sharing consumer personal information. The sweep includes analyzing whether the streaming services “do not offer an easy mechanism for consumers who want to stop the sale of their data.” For example, consumers using a SmartTV should be able to easily enable a “Do Not Sell My Personal Information” setting in the streaming service and have that choice honored across different devices.

Connected Vehicles and Related Technologies. On July 31, 2023, the Agency announced investigative sweeps into the data privacy practices of connected vehicle manufacturers and related technologies. The Agency conducted the review under the CCPA and its regulations enforceable at the time, with a focus on whether connected vehicle manufacturers and the like provided consumers with rights under the law (e.g., right to know, right to delete, and right to opt out of sale/share). However, the Agency has not indicated whether the sweep will continue into 2024 as the new regulations take effect, so connected vehicle manufacturers and producers of related technologies should remain vigilant.


COLORADO

Global Privacy Control. In the fall of 2023, the Colorado Department of Law accepted applications for universal opt-out mechanisms (UOOMs) that, under the Colorado Privacy Act (CPA), covered businesses would need to respect as a means for consumers to opt out of the sale of personal data or the sharing of personal data for targeted advertising. In December of 2023, the Colorado Attorney General announced that it selected the Global Privacy Control (GPC) as the UOOM the AG considers valid under the CPA.

Beginning on July 1, 2024, organizations subject to the CPA must ensure they are able to accept consumer opt-out requests made using the GPC, and the AG has announced that it “will prioritize for enforcement” compliance with the Department’s list of acceptable UOOMs.


CONNECTICUT

General Enforcement. On February 2, 2024, the Connecticut Attorney General released a report on the Connecticut Data Privacy Act (CTDPA), which detailed the AG’s enforcement efforts and priorities. Since the CTDPA took effect, the AG has issued cure notices to covered entities in a wide range of industries, including retail, fitness, event services, career services, parenting technologies, and home improvement.

The cure notices identified the following deficiencies:

    • Lacking or inadequate disclosures (e.g., failure to inform consumers completely or sufficiently about their rights under the law);
    • Lacking rights mechanisms (e.g., failure to provide a webpage that enables consumers to opt out of targeted advertising or sale of data);
    • Burdensome rights mechanisms (e.g., rights mechanisms that did not take into account the ways consumers normally interact with the company); and,
    • Broken / inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).

Taken together, the report indicates an interest in the AG to ensure covered entities (in a wide range of industries) provide sufficient privacy disclosures and compliant rights mechanisms.


BEST PRACTICES CHECKLIST As we move through 2024, businesses should consider the following to lower their risk of enforcement actions:
  • Analyze State Privacy Thresholds. Each of the US state privacy laws feature their own thresholds of applicability that must be met before a business must comply with the law, so businesses must continually monitor whether they have satisfied any of these numerous thresholds. To help, we have compiled all of the state privacy law thresholds.
  • Create Data Maps. Because state and international privacy laws impose certain obligations on specific types of data (e.g., personal v. sensitive) and processing activities (e.g., using AI for significant decisions), businesses should create data maps to monitor and document their information practices.
  • Respect Opt-Out Signals. Where a state privacy law requires respecting opt-out preference signals, ensure that you have implemented a means for websites to recognize and respect such signals, and disclose to consumers that they have the right to use such opt-out mechanisms (e.g., Global Privacy Control).
  • Review Policies. While many of the disclosure requirements of US privacy laws and regulations overlap, there are intricate differences between them, so businesses should review external-facing policies to ensure the disclosures remain accurate and compliant.
  • Conduct DPIAs. Conduct a data protection impact assessment (DPIA) to the extent required by applicable state privacy laws or review existing DPIAs to ensure they remain compliant with applicable laws.
  • Analyze AI Tools. Understand and document how the business uses AI tools, which includes understanding the AI’s inputs and outputs, ensuring appropriate data minimization and IP safeguards are implemented, and analyzing disclosures regarding the use of the AI tools. This includes implementing an internal AI policy that covers whether and to what extent employees can use AI tools.
0

AI vendor management – human programming for machine learning

Machine learning and artificial intelligence (AI) have permeated the supply chain. The reasons are apparent. Low cost and efficiency are an easy sell in today’s economy, with rampant inflation in the supply chain and tight labor markets. Yet, the economic motivation for AI must be tempered by human (or human-programmed) review of AI systems. Rules are necessary to ensure that the fundamental privacy and moral rights of individuals are protected. From data input to disaster recovery, AI vendor management ensures both the protection of businesses and the broader society. In an Insight article written by Lily Li, Founder of Metaverse Law for Data Guidance, Lily discusses data minimization for AI vendors, algorithmic bias and disgorgement, considerations for AI terms and conditions, and business continuity and disaster recovery considerations for AI. Click here to continue reading.
0
Close-up photograph of a fingerprint.

An overview of biometrics laws in the U.S.

[Updated: September 27, 2023] In addition to state comprehensive privacy laws, state legislatures are increasingly interested in regulating the collection, use, and possession of biometric data. It is therefore imperative for startups and businesses to remain informed of the potential laws that may apply and when. Readers are encouraged to review the following enacted and enforceable biometric laws, and to reach out if concerned that one such law may apply. We will continue monitoring the biometric legislation landscape and will update this resource accordingly.

ILLINOIS

Law: Biometric Information Privacy Act (“BIPA”) Applies to: Any individual, partnership, corporation, limited liability company, association, or other group, however organized, that possesses, collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information of Illinois residents. Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry; or
  • Biometric information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual biometric identifier and used to identify an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per collection, possession, etc., in violation of the law.

MARYLAND

Law: Labor and Employment Code § 3-717 Applies to: Maryland employers that use facial recognition services for purposes of creating a facial template during an applicant’s interview for employment. Covers:
  • Facial template: Machine-interpretable pattern of facial features that is extracted from one or more images of an individual by technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images.
Enforcement: Maryland Department of Labor.

MONTANA

Law: Facial Recognition for Government Use Act Applies to: Third-party vendors contracting with Montana state or local government agencies for the provision of facial recognition services. Covers:
  • Facial biometric data: Data derived from a measurement, pattern, contour, or other characteristic of an individual’s face, either directly or from an image.
Enforcement: Montana Attorney General can bring enforcement actions, with damages starting at $10,000. The law provides individuals with a private right of action, and violations can amount to $1,000 per violation.

NEW YORK

Law: N.Y. LAB. LAW § 201-aA Applies to: New York employers that fingerprint employees as a condition of securing employment or of continuing employment. Covers:
  • Fingerprints: The law does not define what constitutes a fingerprint, but New York State Department of Labor RO-10-0024 states: “instruments that measure the geometry of the hand are permissible under the Labor Law so long as they do not scan the surface details of the hand and fingers in a manner similar or comparable to the scanning of a fingerprint.”
Enforcement: New York State Department of Labor.
Law: NYC Admin Code §§ 22-1201-1205 Applies to: Places of entertainment, retail stores, or food or drink establishments in New York City that collect biometric identifier information from customers. Covers:
  • Biometric identifier information: Physiological or biological characteristics that are used by or on behalf of a place of entertainment, a retail store, or a food or drink establishment, singly or in combination, to identify, or assist in identifying, an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per violation.

OREGON

Law: Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050 Applies to: Any individuals and non-government entities in the city of Portland, prohibiting them from using face recognition technologies in any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation, or otherwise. Covers:
  • Face recognition: Automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository.
Enforcement: The law provides individuals with a private right of action , and violations can amount to $1,000 per day for each day of violation.

STATE COMPREHENSIVE PRIVACY LAWS

Laws: Applies to: Each state comprehensive privacy law features various thresholds of applicability. Please see our overview of state comprehensive privacy laws for more information on those thresholds. Covers:
  • Biometric data: Generally means an individual’s physiological, biological, or behavioral characteristics that is used or is intended to be used to establish or authenticate an individual’s identity.
Enforcement: Most state comprehensive privacy laws are enforced by the state’s respective attorney general, but California also authorizes the California Privacy Protection Agency to enforce California’s state comprehensive privacy law.

TEXAS

Law: Capture or Use of Biometric Identifier (“CUBI”) Applies to: Any individuals and non-government entities capturing biometric identifiers of Texas individuals for a commercial purpose. (The law does not define what constitutes a “commercial purpose,” but the Texas Attorney General has argued that capturing biometric identifiers to improve or develop products or services constitutes a commercial purpose.) Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, or records of hand or face geometry.
Enforcement: Texas Attorney General, which can seek fines of up to $25,000 per violation.

WASHINGTON

Law: Biometric Identifiers Law (“BIL”) Applies to: All individuals and non-government entities that collect, use, and retain biometric identifiers from Washington residents. Covers:
  • Biometric identifiers: Data generated by automatic measurements of an individual’s
    • biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or
    • other unique biological patterns or characteristics that is used to identify a specific individual.
Enforcement:  Washington Attorney General under the state’s consumer protection act.
Law: My Health, My Data Act (“MHMDA”) Applies to: All legal entities of any size that conduct business in Washington state or produce or provide products or services targeted to individuals in Washington, and alone or jointly collects, processes, shares, or sells consumer health information. Covers:
  • Consumer health information: Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
Enforcement: Washington Attorney General can bring enforcement actions under the state’s consumer protection act. In addition, the law provides individuals with a private right of action.
1 2 3 4 5 6 8