Negligent Hiring, Retention & Supervision

In today’s hyper-litigious society, employers must perform reasonable investigations of new hires and remain attentive to conduct of tenured employees, to ensure that an employee does not present an unreasonable risk to others.

Types of Claims

Employers have faced claims for negligently hiring a new employee, negligently retaining a bad employee and/or negligently supervising a wayward employee.  A Negligent Hiring claim asserts that the employer did not exercise reasonable care when hiring the new employee, whose dangerous tendencies or incompetence for the job at issue, would have been evident from a reasonable pre-employment investigation of the new employee’s background.  Similarly, a Negligent Retention claim asserts that an employer retained an existing employee who was known by the employer to have dangerous tendencies or be incompetent for the job at issue (e.g., the employer knew from the employee’s work records, prior complaints, disciplinary reports or prior observed misconduct).  A Negligent Supervision claim involves the same elements as a Negligent Retention claim, but typically focuses on misconduct occurring on the employee’s property (e.g., in the store) or under other circumstances where the employer could have exercised direct control over the employee.  All three claims require a showing of injury proximately resulting from the employee’s acts.  See gen. Kwang Bok Yi v. Open Karaoke Corp., No. 2016-11486, 2018 WL 2224984, at *1 (App. Div. 2d Dept May 16, 2018)

These types of claims typically are asserted against an employer by third parties injured by an employee – such as customers or passers-by.  Worker’s Compensation rules generally preclude one employee from asserting such claims against their employer based on conduct by a fellow employee.  Worker’s compensation programs are usually an aggrieved employee’s only remedy against an employer unless the aggrieved employee can show that the employer deliberately sought to cause the injury complained of.  Ferris v. Delta Airlines, 277 F3d 128, 138 (2d Cir. 2001).

Employer’s also have a technical defense that would enable dismissal of a Negligent Hiring, Retention or Supervision claim if alleged injury occurred during the offending employee’s execution of his/her duties (e.g., a company truck driver with a history of driving infractions causes a car accident or a bar bouncer with a criminal assault record breaks a patron’s nose while forcibly removing the patron from the bar).  Where “an employee is acting within the scope of his or her employment … no claim may proceed against the employer for negligent hiring or retention.” Karoon v. New York City Tr. Auth., 241 A.D.2d 323, 324, 659 N.Y.S.2d 27 (1st Dept. 1997); Troy v. City of New York, 160 A.D.3d 410, 70 N.Y.S.3d 842 (2nd Dep’t 2018).  This, however, is of limited practical utility because the employer remains liable for the employee’s conduct under a theory of respondeat superior.  Lara-Grimaldi v. Cty. of Putnam, No. 17-CV-622 (KMK), 2018 WL 1626348, at *24 (S.D.N.Y. Mar. 29, 2018) (citing Karoon., 659 N.Y.S.2d at 29). “[I]f the employee was not negligent, there is no basis for imposing liability on the employer, and if the employee was negligent, the employer must pay the judgment regardless of the reasonableness of the hiring or retention or the adequacy of the training.” Id.

Employer’s Prophylactic Measures
What constitutes reasonable investigation or oversight of an employee (whether pre-employment or continuing supervision) necessarily varies with the nature of the employee’s position.  It stands to reason that the potential for an employee to cause injury depends on the level of authority possessed by the employee, the risk associated with the employee’s position and the extent to which the employee will interact with the public.  The type and comprehensiveness of the investigation of the employee vary accordingly.  Of course, if an employee or potential employee is known to have been involved in an offending incident in the past, the level of scrutiny should increase.  Thus, senior/supervising employees or those with direct and regular public contact require more extensive background checks than laborers who work exclusively in back-office or warehouse roles.  Likewise, a driver who has never had a traffic ticket over the past 5 years, may require less continuing oversight than a similarly positioned driver with a recent road rage conviction.

The employer should take prompt and consistent action to investigate claims of employee misconduct and appropriately punish wrongdoers – including terminating employment if the offense so warrants.  Promptly and appropriate responses to employee bad behavior can help avoid or mitigate third party claims.

The employer should take care to accurately document its background investigation and oversight efforts.  In case litigation arises, it will be helpful to have records showing that the employer acted reasonably under the circumstances.  Conversely, an absence of records or materials showing that the employer ignored “red flags” can be very problematic at trial.

Of course, the employer must be discrete and judicious in the use of information it acquires when conducting an investigation or oversight of employees.  Federal, state and local law limit whether and how an employer may use an employee’s criminal conviction, arrest record, driving record, credit history, past bankruptcy or participation in other litigation.

For further information or assistance with any pending or potential matter, please contact Jonathan Faust, at Wilson Keadjian Browndorf LLP, 212.660.9555 or jfaust@wkbllp.com.

 

Website Accessibility

Businesses must proactively ensure that their commercial websites are easily accessed by people with visual, auditory, motor and/or cognitive impairments or brace for litigation throughout the United States.

A growing number of lawsuits claim that websites that are not reasonably accessed by the disabled violate the U.S. Americans with Disabilities Act (“ADA”).  See e.g., McDonald’s, Kmart, Others Settle Suits Over Website Access for the Blind, Chicago Tribune, Nov. 6, 2017 (describing four lawsuits brought by the same law firm on behalf of the same group of plaintiffs). Accessibility concerns have most commonly been raised regarding public facing websites by which users engage in transactions or receive goods and services.  However, accessibility concerns have also been cited respecting companies’ internal employee intranets and web pages advertising job offerings to the public.

The ubiquity of internet searches in everyday life means that the disabled often encounter frustrating websites.  In addition to those persons genuinely aggrieved by a difficult website experience, there are many recurring “career plaintiffs” (and a growing cottage industry of lawyers) who look to manufacture litigation in order to effectuate change and/or extract settlement payments.  Such plaintiffs quickly file cookie-cutter complaints, often targeting entire industry sectors.  While the current litigation has tended to target large, well-known retailers, business should expect these lawsuits to proliferate and reach small and mid-market companies.

Significantly, under current law, businesses can be sued for website accessibility violations without prior notice. In other words, a business might first find out about an ostensible accessibility concern with its website upon receiving a demand letter or even a formal legal complaint filed against it.  Reacting to an existing legal claim means that, in addition to the expense and distraction of litigation, accessibility issues get resolved with plaintiff’s counsel’s oversight, and on the plaintiff’s timeline.  The bad publicity associated with such litigation can also expose a business to secondary issues — such as generalized customer relations concerns and/or potential government enforcement actions.

Besides avoiding the many problems attendant to litigation, there are compelling business reasons for a company to promptly and proactively take steps to make its websites more accessible to the disabled.  Indeed, making it easier for more customers to find, engage and buy from the business is often its own reward.  Likewise, it is easier for a business to retain customers as they age if the company website is accommodating to those with diminished eyesight, hearing and motor skills.  Implementing enhanced website accessibility standards might also improve search engine optimization, making the company’s website higher profile during routine internet searches.  In addition, pre-emptively ensuring website accessibility can reinforce a business’ reputation as a good corporate citizen.

Business can take pre-emptive action by modifying their websites to add: (i) captions and transcriptions of multimedia content on the site for hearing impaired users; (ii) spoken descriptions of photos to assist the visually impaired; (iii) options to navigate online pages point-to-point using keyboard commands (not a mouse) to access different levels of headers and text for those with fine motor skills impairment; and (iv) features, such as “alt text” in the code that enable the website to work with mass-market screen readers. Addressing web accessibility proactively, and before any lawsuit arises, lets the business take charge — and means that website reconfiguration (and/or replacement with a site that is “accessible by design”) and attendant issues such as testing, training, and maintenance, can be appropriately budgeted, staffed and planned within the business and financial structures of the company, and not based on imperatives set by a court or plaintiff.

Currently, there is no single, formal web accessibility standard that has been formally endorsed legislatively or judicially.  However, the World Wide Web Consortium (“W3C”) sponsors the Web Accessibility Initiative (“WAI”), which provides a widely respected and generally accepted set of website accessibility guidelines, technical reports, educational materials and other documents that relate to different components of web accessibility.  Many private litigation settlement agreements provide that the offending website that is the subject of the dispute should be reconfigured to meet the WAI guidelines. Accordingly, website owners should consider proactively redesigning their sites to conform to WAI guidelines. The link to the W3C guidelines is: http://www.w3.org/standards/webdesign/accessibility.

Skilled counsel can assist you in evaluating your situation, controlling the cost of any website reconfiguration or lawsuit, and making tactical decisions on how to comply with web accessibility concerns.  Proactive attention to website accessibility should result in reduced litigation and compliance risk, lower long-term costs, and increased business from customers.  If you have questions or concerns about web accessibility, please contact Jonathan Faust at (212) 660-9555 or by email at jfaust@wkbllp.com.

Wilson Keadjian Browndorf, LLP Welcomes Jonathan J. Faust as New Partner

NEW YORK, NY, April 20, 2018 – Wilson Keadjian Browndorf, LLP is pleased to announce that Jonathan J. Faust will join the Firm as Partner and move his practice to the Firm’s New York office.

Mr. Faust is a veteran litigator and enhances the Firm’s capabilities with his wide-ranging experience as a general commercial litigator and accomplished business advisor. His practice includes civil disputes of every size and nature, across industries as varied as Fashion & Apparel, Construction, Information Technology, Real Estate, Banking and Waste Management. As representative examples of the breadth of his practice: (i) Mr. Faust successfully defended a foreign sovereign central bank against a putative class action pending in Federal Court in Illinois, involving complicated claims based on international law in which the plaintiffs sought damages that exceeded 40% of Hungary’s GDP; (ii) he regularly handles mid-sized contract, employment, discrimination, restrictive covenant, landlord-tenant and intellectual property disputes; and (iii) he cost-effectively represents the individual principals of clients in smaller, personal matters pending in New York Civil Court.

“I’m looking forward to working with such a talented group of professionals whose goals align with mine when it comes to client offerings,” said Mr. Faust. “My job is to be a problem solver and facilitator, helping my clients achieve their goals in a practical, effective, and cost-efficient manner.”

“Jon adds incredible skillsets to the Firm’s talent pool. In addition to being a tremendous lawyer, Jon is also greatly admired for his unique achievements,” said Michael Keadjian, Managing Partner of Wilson Keadjian Browndorf, LLP. “Jon’s experience advising sophisticated clients in a broad range of corporate matters will make him a great addition to our New York team and a sought-after resource for clients. This is an exciting time as we commit to building a dynamic, thriving legal practice in this amazing city.”

Mr. Faust earned his J.D., from Columbia Law School. He graduated summa cum laude from the University of Michigan with a B.A.

 

About Jonathan J. Faust

Jonathan J. Faust will serve as Partner of Wilson Keadjian Browndorf, LLP’s New York office. After 25 years as a successful general commercial litigator at an Am-Law 100 law firm, Mr. Faust brings to WKB extensive trial and appellate experience, in both state and federal court.  His practice also includes mediation and arbitration.  He is an accomplished business advisor, who serves as the outside general counsel and sounding board to clients — helping them navigate through volatile currents to clear seas no matter the nature of their concerns.   Mr. Faust’s legal and business insights are burnished by his additional experience as the Senior Counsel to the Claims Resolution Tribunal in Zurich, Switzerland; as General Counsel to Fast Track Nutrition; and as a Special Assistant District Attorney with the Manhattan District Attorney’s Office.

Mr. Faust is a well-known and respected thought leader, having lectured generations of future movers and shakers at Columbia Law School in New York, the University of Michigan Law School and at Eötvös Loránd University in Budapest, Hungary.

At his prior firm, Mr. Faust was the partner directly responsible for recruiting recently graduated law students and integrating them into permanent associate positions. He also was a partner member of that firm’s Attorney Retention Committee tasked with identifying and improving quality-of-life issues.

Mr. Faust’s dynamic leadership, energy and “can-do” attitude carries over into his other pursuits.  He is the Commissioner of, and a volunteer firefighter (Lieutenant) in, the Greenville Fire District.  He is also a member of the Edgemont Union Free School District School Board, one of the country’s top performing public schools.  Mr. Faust plays soccer and softball, and trains in combat sports.

When Mr. Faust takes on a matter, his clients reap the benefit of his considerable knowledge, experience and intense personal investment.  Mr. Faust has a consistent track record of success and cost-effectively realizing his clients’ goals.

 

About Wilson Keadjian Browndorf, LLP

WKB is a full-service law firm, offering its clients the energy, efficiency, and creativity of a smaller more flexible firm, with the skills and experience of a larger firm. WKB’s attorneys’ experience is as diverse as their client base and includes significant experience in traditional industries such as finance, project development, construction, intellectual property, media and real estate, as well as emerging areas such as automation, e-mobility, and life sciences. The Firm’s model allows it to provide the same type of professional results as the larger firms but at far more competitive rates.

 

Media Contact

Danny Kim

dkim@wkbllp.com

Social Media Contacts

Facebook @WKBLLP

LinkedIn @WilsonKeadjianBrowndorf

Facebook’s Data Practices Saga

As we all know, the personal data of about 87 million Facebook users have been “shared” without their knowledge with Cambridge Analytica (“CA”), a firm linked to Donald Trump’s 2016 political campaign.  Seemingly, Facebook knew of this incident in December of 2015, but Facebook users only found out this past March 17 when the New York Times reported it.  In commenting on this latest scandal, the Economist was quick to point out the Company’s “morphing, porous privacy policies and … a cavalier approach to oversight.”

When Mark Zuckerberg testifies in Congress today, U.S. lawmakers will be sure to focus on this breach’s effects on the election process and the identity of those posting news. This highlights the dramatic differences in how personal data is viewed between the U.S. and the European Union. Facebook and other data collectors fully believe that they have the right to use personal data as they deem fit. EU constituencies expect the opposite, and the new Regulation places all control over personal data in the hands of data holders. Given the global reach of any online information, uniform rules and approaches to protecting personal data would be of benefit, but given these conflicting views, we are more likely to see different data practices in the U.S. and in Europe, with data collectors applying a different treatment to U.S. data than EU personal data.

 

Leslie Williams, partner Wilson Keadjian Browndorf LLP

© 2018 Leslie Williams

This article is current as of April 10, 2018

German Court Curbs Facebook User Terms

On January 16, 2018, and in another step toward reigning in Facebook’s data practices in Europe, a Berlin district court issued a 250,000 judgment against Facebook Ireland Ltd. and ordered the company to change many of its terms of use for German users of the social network.[1]

Here are a few of the main points:

Facebook cannot require German users to register using their true name.  Users can register under an anonymous or pseudonymous name. This is an issue which was raised at least as early as 2012 by the Federation of German Consumer Organizations (VZBV), but remain unresolved until now.[2]

Current Facebook practices in which certain privacy settings are pre-set or set by default are not permitted. Users of the mobile app must be able to opt in to sharing their location.  Users must also consent expressly to:

  1. Use of sites such as Google to show a user’s profile in search results;
  2. Facebook’s use of user names and profile for commercial, sponsored or other applications; and
  3. any transfer of personal data to the U.S.

Facebook opposed the decision and plans to appeal. Nevertheless, the Plaintiff, VZBV, welcomed the ruling as an overall success for users.  The VZBV is also expected to appeal on the points it lost, such as the finding that Facebook’s advertising its service as “free and always will be” is admissible and not confusing.

For any U.S. companies which collect, use, or process personal data of data holders resident in the EU, the means of showing compliance, disclosures, and consents to be obtained from the data holders has increased, become more restrictive, and the enforcement of data protection rules will become more stringent by this coming May when the EU General Data Protection Regulation[3]  becomes effective.

For more information see http://www.wkbllp.com/legal-article-data-protection.


[1] AZ 16 O 341/15: http://www.spiegel.de/netzwelt/web/facebook-voreinstellungen-landgericht-berlin-sieht-verbraucherschutz-verstoesse-a-1193024.html

[2] http://www.bbc.com/news/technology-43035968

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (OJ L 119, 4.5.2016, p. 1–88)

Europe’s Data Protection Regulation and the EU -U.S. Privacy Shield-the New Normal for Everyone?

During a September of 2014 Intellectual Property Law Conference in Duesseldorf, Germany[1], Birgit Sippel, a member of the European Parliament informed the audience that the Parliament overwhelmingly supported far greater restrictions on collector and processors of personal data than currently provided and regardless of where they were situated. Ms. Sippel went on to state that the Parliament would swiftly adopt a 2012 proposal to establish an EU wide regulation, bolstering the rights of EU data holders and creating data protection agencies authorized to handle complaints against data collectors or processors.

At that time, I commented in a blog that U.S. firms doing business with EU customers in which they collect, use or process personal data could not expect that their U.S. data processing practices could continue in the EU without specific attention to the EC Directive and related data protection rules. Several months prior, in May of 2014, the European Court of Justice (ECJ) had held in a case involving a Spanish citizen and Google, that not only did EU rules apply to data collectors which sell advertising space in the EU, regardless of where the server was located, but the data holder has the right to request removal of links with personal information under specific circumstances and require the collector to comply.[2] Google lost the case, and the so-called “right to be forgotten” was incorporated into the EU data protection rules that were adopted in December of 2016, largely in line with the Ms. Sippel’s position.

After the Google ruling, an Austrian citizen filed a complaint with the Irish Data Protection Commissioner against Facebook, which is incorporated in Ireland, challenging Facebook’s transfer of his personal data to the U.S. on the grounds of inadequate protection in the U.S. The complainant’s appeal in Ireland was stayed until the ECJ ruled, with the Court finding that the then-applicable decision of the EU Commission on adequacy with regard to the U.S. data protection standards was invalid. This Court decision from October of 2015[3] thus upended the existing framework permitting U.S. processors to transfer EU data holder information to U.S. servers.

The EU Commission returned to the negotiating table with its U.S. counterparts to address the Court’s concerns with respect to U.S. companies’ data practices, and in August of 2016, a new bilateral agreement, the EU-U.S. Privacy Shield framework, came into effect, replacing its predecessor Safe Harbor framework.

Then, at the end of 2016, the EU adopted the General Data Protection Regulation or so called “GDPR” (the “Regulation”),[4] which replaces the current EU Directive 95/46 on data protection, and is to be fully implemented by the EU Member States by May of 2018.

What the Regulation protects

The Regulation protects the use of personal data of individuals by data processors which collect, use, or process such data in any manner for commercial purposes.While the EU data regulatory framework is far more comprehensive than the Regulation and includes additional laws related to health care data, law-enforcement,[5]institutional use and other areas, the Regulation and the accompanying EU-US Privacy Shield framework represent the core data protection rules which affect U.S. businesses.

The Regulation covers personally identifiable data of any data holder with an address in any of the 28 EU countries, the EEA countries of Norway, Iceland, and Liechtenstein, and Switzerland, and accords rights and safeguards to them, regardless of where the data collector or processor is located.

Under the Regulation, the data holder is the owner of his or her data. The holder is entitled at all times to -and must consent to- third party use of his or her data. The holder may revoke his consent to use or may require erasure or removal of data to which the holder previously agreed. As a result, data collectors must ensure that the data holder:

  1. has one or more means or giving consent to the processor’s use of the holder’s data in a clear, affirmative way. (opt in, not opt out);
  2. is able to request access to the holder’s data, and access must be made easy and available to the holder at reasonable intervals;
  3. may object to the continued use of his or her data, request that it be rectified or have it erased or removed, even if the data holder previously agreed to use.

How data holders’ rights are enforced

The Regulation institutes simplified administrative and judicial remedies for complaints and their resolution. The data holder may submit complaints to a single supervisory authority in each Member State or to one of several agencies in the United States in the case of complaints against a U.S. data processor.

All data processors which process information of EU data holders are required to designate a representative to act on behalf of the processor and with regard to the Member State’s supervisory authority, to cooperate with that authority to ensure its compliance with the Regulation, and in the event of a breach, to be subject to enforcement proceedings. U.S. controllers or processors without an establishment or presence in the EU must also designate a representative to act on behalf of the processor with respect to a Member State’s supervisory authority, and in the event of any breach of the Regulation’s rights to data holders, expect that complaints will be processed by the authority.  A data holder is also entitled to judicial remedies against an administrative ruling of the authority or in the event the authority fails to carry out its duty to process a complaint in accordance with the Regulation’s dictates.

The data holder’s remedies cover “material or non-material damage”, which occurs from a processor’s proven infringement of the holder’s rights, and in either case, the holder is entitled to compensation.

The EU-U.S. Privacy Shield and U.S. Processors

Under the predecessor directive to the Regulation, the EU Commission was authorized to decide on the adequacy of legal protections in countries outside of the EU, including the U.S., prior to permitting transfers of personal data of EU data holders outside of the EU for processing. Although the Commission had instituted the Safe Harbor framework, in the wake of additional case law (see Schrems Decision), it was compelled to reform the framework, which in turn lead to the Privacy Shield[6] and a system of certification to ensure ongoing compliance.

Under the certification system, U.S. processor companies commit to the U.S. Privacy Shield principles and voluntarily apply for certification through the Department of Commerce, FTC or DoT, depending upon the authority responsible for the particular industry in which the processor operates. In exchange for this certification, processors are permitted to transfer or continue transferring data of EU holders outside of the EU for processing. Certification is subject to annual review and renewal by the agencies involved and to these agencies’ enforcement powers. EU data holders are able to submit complaints to the data protection authority in the holder’s Member State of residence or to the U.S. agency concerned for handling. If need be, resolution through alternative dispute resolution, such as arbitration, is further provided.

As of this September, a significant number of large U.S. data collectors and processors have certified with the Department of Commerce. Moreover, the Privacy Shield framework is subject to ongoing review, monitoring and enforcement by the EU Commission, and be updated or changed to address new issues as they arise. Thus, it is not a one-time compliance issue, but an ongoing one with the prospect of increased supervision or restriction.

Take Aways for Data Holders and Processors

Well before 2014, European laws and attitudes towards the collection and use of personal data have been more restrictive than in the U.S. The Regulation is built upon decades of precedent and represents the next level in ensuring stricter standards and uniform application of the law’s provisions to all EU and EEA countries, plus Switzerland.

The EU Data Holder Wields the Power

Most U.S. data processors have based their operation on the premise that personal data made available to the processor is for use at the service provider’s discretion, and that once given, the processor has few restraints other than to protect again hacking or other security breaches that may affect specific transactions such as credit card processing, credit reporting which involve financially sensitive data. Once disclosed to the processor, the data holder is not given control over current or future use, nor the means to take specific affirmative action to restrict or correct the data disclosed. A very different model applies in the EU. The European personal data holder is the owner of his or her data and is entitled to affirmatively consent or “opt in” to specific uses by the data processor. At any time, the data holder may revoke, amend or request removal of data, and the processor must comply. Noncompliance has the consequences of answering to a data protection agency and potential liability for compensation.

While to date there may not have been much debate in the U.S. over the rights of the data holder, European thinking on personal data and privacy may prompt more vigorous discussion over the power that large U.S. data processors exercise in the U.S. market, in great part due to the personal data they have collected. One recently dissenting voice is that of University of Southern California’s (USC) communications professor, Jonathan Taplin. In Taplin’s book, “Move Fast, Break Things”,[7] he makes the case that firms such as Google, Facebook, and Amazon have immense influencing power over our daily lives because of the personal data which U.S. holders have unwittingly provided. In turn, such data control has helped to give rise to monopolies each online service now has in search (Google), social media integration and messaging (Facebook), and books and other items (Amazon).

European influence on Data Operations in America?

Historically U.S. firms and American institutions have played a major role in influencing commercial practices, policy and culture well beyond U.S. borders. Under the Privacy Shield, the EU Commission decides what data can be collected, used and processed with regard to EU data holders and whether the policies and practices in the U.S. are adequate to permit data transfer to the U.S. As the data protection rules are subject to ongoing review and will evolve as cases are tried and complaints heard, U.S. processors can expect that collection, processing and transfer operations will continue to be monitored and to be subject to higher standards and restrictions. The new normal in EU data collection and processing can be likened to a nonexclusive license granted by the data holder to the processor, which the holder may revoke, amend, or request be entirely removed at any time, rather than a one-time transaction where the holder makes the disclosures to the processor and the processor is free to use the data as it sees fit.

To the extent a data collector or processor does not provide mechanisms which ensure that the data holder’s rights are ensured and provide the measures to enforce them, the processor’s business model, means of operation or management practices will need to be adapted to do so. This is very likely to result in additional costs to institute affirmative consent or closer interaction mechanisms with data holders and to accommodate requests to rectify or remove data. Indeed, a recent PwC Survey found that among large American processors, the most frequently implemented compliance measures included certification under the Privacy Shield and instituting binding corporate rules, at an investment cost of more than $1 million.[8]

If these compliance mechanisms are put in place for EU data holders, why not offer such protections to all data holders, including those in the U.S.? Even if data processors are not considering this from the standpoint of simplifying commercial operations, it seems that U.S. data holders ought to be asking this question for themselves.

What the future may bring

U.S. data holders may presume that the ease and convenience in the services which data processors provide is not only worth the data holder’s consent to wholesale use of the holder’s personal data, but that this bargain initially struck with any processor is not open for discussion. Europe, in contrast, acknowledges the data holder’s rights to value and control personal data, regardless of convenience of service, and is compelling U.S. companies to adapt their current business models and systems to comply with more comprehensive levels of data protection required by the Regulation.

The debate in America on data security has been sparked by security breaches at Yahoo, Equifax, and with regard to Uber’s recent announcement of a hacking of its site that has only recently come to light. However, it is the EU data protection authorities that are taking action to investigate Uber’s breach. The ride share service’s breach is now subject to an investigation by the Dutch data protection authority under Holland’s rules which are quite stringent, the Netherlands being the site of Uber’s European operations. Austria and Poland are launching separate investigations of the potential breach, and the U.K. and Italy may join. This has prompted the EU to consider launching a EU probe. Such an EU investigation would not, however, negate the imposition of sanctions at the Member State level at least until the Regulation takes effective next May, and Holland’s maximum fines are high, up to 820,000 Euro.[9]

U.S. data holders’ ire over hacking and companies maintaining secrecy about breaches has not yet lead to a vigorous debate as to who is in control of personal data and what individual rights and remedies a data holder has. The Regulation and Privacy Shield should prompt a far deeper reexamination of how we view our personal data and what we require of the businesses making use of it. Do we want the rights to erase, remove, or change the data we give, and to have links removed so as to “be forgotten”? What should be the consequences to processors if U.S. data holders’ rights are breached or adversely affected? It may be time for a simplified process to file complaints, and seek redress administratively or judicially without the costs outweighing the benefits. And if, as with Uber, a large number of customers are affected, why shouldn’t sanctions or fines apply? We’ve imposed them for antitrust violations and intellectual property infringement. Why wouldn’t we consider them for egregious breaches of personal data?

Leslie Williams, partner Wilson Keadjian Browndorf LLP

© 2017 Leslie Williams

This article is current as of December 4, 2017

[1] German Intellectual Property Law Association (GRUR) Annual Conference September 2014, (www.GRUR.org).

[2] Judgment of the Court (Grand Chamber), 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. ECLI:EU:C:2014:317.

[3] Judgment of the Court of 6 October 2015 Maximillian Schrems v Data Protection Commissioner Request for Preliminary Ruling from High Court Ireland; C-362/14 ECLI: EU:C 2015.650 (hereafter “Schrems Decision”).

[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88). The Regulation replaces its predecessor Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

[5] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA.

[6] Commission Implementing Decision (EU) 2016/1250 of July 12 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on adequacy of protection provided by EU-US Privacy Shield (C 2016 4176; O J L 207, 1.8.2016 p 1-112).

[7] Move Fast and Break Things: How Facebook, Google, and Amazon Cornered Culture and Undermined Democracy, Taplin, Jonathan, MacMillian 2017.

[8] “GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey”, PwC. 23 January 2017, www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.

[9] “EU considers investigation into Uber Hack”, Financial Times, 23 November 2017, www.ft.com/content/db433c83-7b7e-3d2f-9a60-e89355640bf7.