As we previously reported in February 2017, an Illinois federal judge denied a motion to dismiss two complaints brought under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”) by individuals who alleged that Google captured, without plaintiff’s consent, biometric data from facial scans of images that were uploaded onto Google Photos. The cases subsequently were consolidated, and on December 29, 2018, the Northern District of Illinois dismissed the case on standing grounds, finding that despite the existence of statutory standing under BIPA, neither plaintiff had claimed any injury that would support Article III standing.

Continue Reading Illinois BIPA Suit Dismissed for Lack of Article III Standing

On August 28, 2018, plaintiffs filed a class action lawsuit against Nielsen Holdings PLC (“Nielsen”) and some of its officers and directors for making allegedly materially false and misleading statements to investors about the impact of privacy regulations and third-party business partners’ privacy policies on the company’s revenues and earnings. The case was filed in the United States District Court for the Southern District of New York.  Continue Reading Plaintiffs File Class Action Lawsuit Against Nielsen Over Alleged False and Misleading Statements

On December 18, 2017, the French data protection authority (“CNIL”) publicly announced that it served a formal notice to WhatsApp regarding the sharing of WhatsApp users’ data with Facebook Inc. (“Facebook”). This decision, dated November 27, 2017, follows the CNIL’s investigations regarding Facebook’s 2014 acquisition of WhatsApp. In 2016, WhatsApp updated its Terms of Service and Privacy Policy to reflect the sharing of information with Facebook. Following this update, the Article 29 Working Party (“Working Party”) requested explanations from WhatsApp on its data processing practices and data sharing, and asked the company to stop sharing data for targeted advertising purposes. The Working Party also gave a mandate to its subgroup in charge of the cooperation on investigations and sanctions to coordinate actions of the relevant national data protection authorities. It is in that context that the CNIL started its investigation of WhatsApp’s data processing practices. Continue Reading The CNIL Serves Formal Notice to WhatsApp Regarding Sharing Data with Facebook

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice. Continue Reading Advocate General Rejects Facebook’s Claim of Sole Irish Jurisdiction in EU

On August 25, 2016, WhatsApp announced in a blog post that the popular mobile messaging platform updated its Terms of Service and Privacy Policy to permit certain information sharing with Facebook. After Facebook acquired WhatsApp in 2014, the Director of the FTC’s Bureau of Consumer Protection wrote a letter to both Facebook and WhatsApp that discussed the companies’ obligations to honor privacy statements made to consumers in connection with the acquisition. Continue Reading WhatsApp Updates Privacy Policy to Share Information with Facebook

On June 13, 2016, the U.S. government expressed its wish to join the legal proceedings brought by Max Schrems concerning the validity of international data transfers under EU Standard Contractual Clauses.

Along with the U.S. government, the Irish Business and Employers Confederation and the Business Software Alliance, an industry trade group, also informed Ireland’s High Court of their desire to be added to the case as amici curiae, or “friends of the court.” Continue Reading U.S. Government Seeks to Join Schrems Case

On October 27, 2015, David Smith, the UK Deputy Commissioner of the Information Commissioner’s Office (“ICO”), published a blog post commenting on the ongoing Safe Harbor compliance debate in light of the Schrems v. Facebook decision of the Court of Justice of the European Union. His key message to organizations was, “Don’t panic.”

Continue Reading UK Deputy Information Commissioner on Safe Harbor: “Don’t Panic”

On October 20, 2015, at a hearing in the Irish High Court, Irish Data Protection Commissioner Helen Dixon confirmed that she will investigate allegations made by privacy activist Max Schrems concerning Facebook’s transfer of personal data to the U.S. in reliance on Safe Harbor. Dixon welcomed the ruling of the High Court and noted that she would proceed to “investigate the substance of the complaint with all due diligence.”

Continue Reading Irish Data Protection Authority to Investigate Facebook’s Data Transfers

On October 14, 2015, the data protection authority (“DPA”) in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper (the “Position Paper”) on the Safe Harbor Decision of the Court of Justice of the European Union (the “CJEU”).

Continue Reading German DPA Issues Position Paper on Data Transfer Mechanisms in Light of CJEU Safe Harbor Decision