One of the most important recent legal and regulatory developments has been the elevation of privacy rights and concerns. Privacy issues are related to but distinct from cybersecurity issues and concerns, because privacy is concerned about more than just keeping data free from unauthorized intrusion. Privacy concerns also involve how data is used and to what kinds of controls the persons whose rights are affected have over the data. As more and more businesses gather and use user data and other potentially sensitive personal information, they will increasingly find themselves grappling with the growing wave of privacy regulation and legislation. Among the many potential exposures these circumstances create for companies and their senior officials is the growing possibility of privacy-related D&O litigation. Indeed, the growing potential for privacy-related claims may be among the most important emerging D&O liability exposures.
The highest-profile and arguably most important recent privacy-related milestones was May 25, 2018 effective date of the EU’s General Data Protection Regulation (GDPR). The GDPR, which supersedes a prior EU data protection regulation, creates standards for data protection and privacy for companies obtaining personal information and data on or from EU residents. The regulation is intended to provide individuals with greater control over and protection for their personal data. The headline detail about the GDPR is that violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. With potential penalties of that magnitude available, GDPR has captured the attention of corporate executives and their advisors everywhere.
Privacy concerns would be an important issue even if the advent of GDPR’s requirements was the only significant recent development. However, there has been a plethora of other privacy-related developments, even further highlighting the importance of privacy as an emerging area of regulatory exposure. To cite just one example, in July 2018, just two months after GDPR’s effective date, Japan and the EU agreed to recognize each other’s data protection regimes as providing adequate protections for personal data. To achieve this reciprocal recognition, Japan agreed to implement additional safeguards to align with the EU’s standards, including specifically stricter guidelines for the re-transfer of personal data. In addition, in order to ensure smooth transfer of personal data between companies in the Japan and the U.S, and between Japan and the U.K., Japanese officials are in discussion with their counterparts in these two countries. These privacy developments in Japan are discussed in a September 24 2018 memo from the Skadden law firm entitled “Data Protection in Japan to Align With GDPR” (here). These developments underscore the rise of an increasingly complex web of cross-border regulatory requirements.
Nor are the important privacy-related regulatory and legislative developments exclusively international or cross-border. There have been important domestic privacy-related developments within the U.S. as well. Most significantly, as noted in detail here, was the enactment in late June 2018 of the California Consumer Privacy Act. The California legislation, which is sometimes referred to as a “Mini-GDPR” even though there are important differences between the Act and the EU regulation, imposes on businesses significant privacy obligations, creates a number of privacy rights, and provides for enforcement both through private right of action and regulatory enforcement.
At the time the California legislation went into effect, many observers questioned whether the California Act might presage the emergence of a host of other state-level legislation as other U.S. states tried to get into the privacy-protection mode. As it has turned out, a number of other states have recently enacted privacy-related legislation, although none (yet at least) as broad or comprehensive as the California legislation.
For example among the state-level legislation that has recently passed, in August 2018, Ohio passed legislation providing companies with an affirmative defense to tort claims if the companies have implemented a written cybersecurity program that “reasonably conforms” to certain governmental or industry cybersecurity frameworks. The Ohio legislation does not apply to contract claims and does not provide a private right of action. It goes into effect on November 1, 2018.
Colorado’s legislature, meanwhile, has passed legislation specifying that companies collecting certain types of private information must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the private information being collected and to the nature and size of the business and its operations. The new Ohio and Colorado legislative measures are discussed in a September 27, 2018 memo from the Manatt, Phelps & Phillips law firm (here).
These various state-level developments have “put consumer privacy squarely on the national agenda,” which could in turn lead to preemptive federal legislation. Among other things, the Senate Commerce Committee will be holding a hearing on October 10, 2018 to examine the lessons from the EU’s GDPR and California’s Consumer Privacy Act. Andrea Jelinek, the Chair of the European Data Protection Board, among others, is scheduled to testify. According to an October 1, 2018 memo from the Keller and Heckman law firm entitled “National Privacy Legislation May be on the Horizon” (here), “privacy legislation will likely continue to be a hot topic for the rest of the year, and for the new Congress in January, and we anticipate that state legislatures will also be looking at privacy and data security in 2019.”
With all of this regulatory and legislative attention on privacy issues, privacy has moved to the center of the radar screen in terms of potential business exposures. Among the risks that this emphasis on privacy issues creates is the possibility that corporate management will be held accountable for their company’s failure to comply with this increasingly complex array of privacy requirements.
The possibility of the increasing burdens and complexity for companies in complying with privacy requirements might lead to D&O claims is not mere conjecture. As I have previously noted on this blog, companies’ struggles to deal with the burden and expense of GDPR compliance has already led to two securities class action lawsuits. First, as discussed here, Facebook was sued in late July after its share price declined after the company disclosed its struggles to comply with GDPR had hurt the company’s quarterly performance. Similarly, at about the same time, Nielsen Holdings also was hit with a securities suit after it announced that its own and its vendors’ struggles to comply with GDPR had undercut its quarterly results and its projections for the remainder of the year.
In many respects the full shape and scope of the privacy-related exposures has yet to come into focus. For example, GDPR has only been in effect for a few months, and it has yet to be seen how it will be enforced and how the enforcement approach will translate into regulatory action and possible follow-on claims. In the meantime, the threat looms large; many readers undoubtedly noted in recent days that shortly after Facebook announced that hackers had compromised more than 50 million accounts, press reports appeared questioning whether the company might face fines related to the breach of over $1.6 billion. The enactment of the California legislation and the possibility of further state and even federal legislation add to this general uncertainty.
Behind all of these regulatory and legislative developments is the deeper business reality that the collection and use of personal data is an increasingly important part of many businesses’ operations. An increasing number of companies rely on this kind of information to target their marketing, improve or adjust their services, or to develop their products. Indeed, use of personal information is a key part of some of the most important current business initiatives, such as, for example, the efforts to develop self-driving cars. These kinds of increasingly prevalent business initiatives ensure that many companies will have to confront the increasingly complex web of regulatory and legislative requirements regarding consumer privacy.
How all of this ultimately will play out remains to be seen, but I strongly suspect that in the weeks and months ahead, privacy-related concerns will remain at the top of both regulatory and corporate risk management agendas. I also suspect that privacy-related issues will be an increasingly frequent source of D&O claims.
Readers interested in a comprehensive overview of privacy-related regulatory and legislative developments will want to refer to the September 2018 memo from the Troutman Sanders law firm entitled “Data Privacy: The Current Legal Landscape” (here).