A European digital consumer can reach across the Atlantic and have a virtual presence in the United States. Likewise, European business entities can solicit and do business with American consumers digitally. There has been much ink (electronic and real) spilled about how the European Union’s General Data Protection Regulation (GDPR) might impact American business entities that solicit and do business with European digital consumers. This summary article looks in the other direction: How might American laws and rules affect the European digital consumer or business entity? The article will address two perspectives, one litigation-related and the other related to American privacy and data breach laws.
Let’s begin with litigation. Assume that an American digital consumer goes to the website of a European business entity, sees a product made by that entity, and purchases the product through a portal on the website. The product is then shipped to the United States (say the State of New Jersey) and the consumer is injured because of a design or manufacturing defect of the product. Where might she bring a suit against the European business entity? The answer, to use a phrase familiar to American litigators, is “it depends.”
The plaintiff’s attorney must first consider where the suit might be brought. Assuming that subject matter jurisdiction exists, should the suit be filed in a United States district court (a federal court) or in the Superior Court of New Jersey (a State court). Once that decision is made and suit commenced — and the European business entity is served with process — there are decisions that the entity’s attorney (in Europe and presumably in the United States) must make. One option is to simply ignore the suit. That might lead to a default judgment which might be enforceable against the entity in Europe. An alternative option would be to respond to the suit by way of an answer or a motion to dismiss for lack of personal jurisdiction over the entity.
Lack of personal jurisdiction is premised on the argument that the European business entity has insufficient ties with America to require it to litigate in the court. Personal jurisdiction can be “general” or “specific.” The former would be based on “continuous and systematic” overall ties, the latter on the specific activities of the European entity that led to the suit.
That raises the question of the digital transaction that the injured plaintiff had with the European business entity. Was that transaction, including the virtual availability of the website to an American consumer, sufficient to make it reasonable for the entity to be required to appear and defend its product? Beyond the specific transaction with the plaintiff, an American court might require the entity to reveal all of its business dealings with American consumers. That might include revealing confidential information controlled or processed by the entity, and that might implicate the GDPR.
Then, assuming that the motion to dismiss is denied, the suit proceeds on the merits. For the purposes of this summary article, let’s assume that happens in the United States District Court for the District of New Jersey in Newark, New Jersey. Counsel will meet to develop a discovery plan for submission to the supervising judge, who will enter a scheduling order. The plaintiff then serves discovery requests on the European business entity and seeks volumes and varieties of electronically stored information (ESI) in the possession, custody, or control of the entity related to the design and manufacture of the product. She also seeks discovery of other purchasers of the product who complained about or were allegedly injured by the product. Again, the GDPR might be implicated and confidential information might be sought.
What might the United States District Court do if the parties cannot reach agreement on, among other things, ESI subject to the GDPR? Several federal courts have addressed arguments raised by defendants that production of certain ESI would violate the GDPR and should therefore not be compelled. Those courts have rejected that argument. Likewise, federal courts, as a general proposition, would compel production of confidential information, if relevant, subject to a protective order that limits who can look at the information. That requires the attorneys to address how ESI should be shared and access restricted.
This was a short overview of how digital information — and the digital consumer or business entity—might (1) be brought into an American court and (2) be required to produce ESI that is confidential or subject to the GDPR. And we have not addressed other types of discovery that might implicate ESI subject to the GDPR, motions to summarily dispose of a suit that might require the filing of confidential information, or trial. Nor have we plunged into discussion of the rules governing litigation in state courts throughout the United States.
Now, let’s move to American privacy and data breach laws and how these might apply to a European business entity. Traditionally, these laws have been “sector-specific.” In other words, laws would address specific types of business entities or specific types of information. One example would be “protected health information” — electronic or paper — related to the care and treatment of an individual. However, given what seems to be daily revelations of misuse of personal data by business entities or of breaches that lead to disclosure and misuse of that data, a number of states have enacted legislation that is likely to impact European business entities that do business with residents of those states. There are too many of these statutes to address in this summary article. More statutes are being proposed across the United States (for example, in the State of Texas) and there are statutory proposals pending in the United States Congress. That being so, let’s look to the States of California and New York as examples of these “new” privacy and data breach laws.
In June 2018, California enacted the California Consumer Privacy Act (CCPA). Among other things, the CCPA would grant “a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.” The CCPA defines “Personal information” very broadly. It includes, among other things, “biometric information,” which is itself defined to mean:
an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
The CCPA became effective on January 1, 2020 and the enforcement period began on July 1, 2020. It applies to any business entity (or an entity it controls or that controls it) that receives personal information from California residents, either directly or indirectly, and (1) has annual revenue exceeding $25 Million, (2) annually receives, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households, or (3) 50% or more of its annual revenue is derived from the sale of personal information about California residents. The CCPA is enforced by the Attorney General of California and provides for limited private causes of action by California residents. There is no question that the CCPA is intended to reach a European business entity.
California may pass an additional, even broader, privacy act by the end of 2020. The California Privacy Rights Act (“CPRA”) is a ballot initiative that will appear on Californians’ November 3, 2020 ballot. If approved, the CPRA would expand the rights of Californians under the CCPA. If it passes, the CPRA will become effective beginning January 1 2023 and enforcement would begin on July 1, 2023. The CPRA would create a government agency — the first of its kind in the United States, called the California Privacy Protection Agency, which would be dedicated to enforcing California’s privacy laws. The agency will consist of a five-member board, including the Chair, and have full authority and jurisdiction to enforce the CCPA rather than the Attorney General of California. An agency specifically tasked with enforcing the CCPA would likely lead to increased scrutiny of business compliance practices and potential penalties for those not in compliance.
The CPRA would also define “sensitive personal information” more broadly than “personal information” under the CCPA. The new definition would include, among other things, information such as Social Security numbers, driver’s license numbers, information about finances, geolocation, race or ethnic origin, religious beliefs, and genetic data, as well as content of certain types of messages. The CPRA would create new obligations for companies processing “sensitive personal information,” and would allow California consumers to limit use of information. Additionally, the CPRA would give consumers additional rights, including the right to correct personal information, the right to know the length of data retention, the right to opt-out of advertisers using geolocation, and the right to restrict usage of sensitive personal information.
Like California, New York passed a similar law to protect its citizens’ data privacy. On March 21, 2020, the data security provision of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business that owns or licenses computerized data that includes defined private information of a resident of New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that information. A covered business is considered in compliance with the SHIELD Act’s data security requirements if the business implements a data security program that includes reasonable administrative, technical, and physical safeguards. If a covered business is defined as a “small business,” the data security program it implements would be deemed compliant if the program contains reasonable administrative, technical, and physical safeguards appropriate for the size and complexity of the business, the nature and scope of the business’ activities, and the sensitivity of the personal information that the small business collects from or about consumers.
Unlike the CCPA and the GDPR, the SHIELD Act does not create any affirmative rights for New York residents, and there is no private right of action. However, the Attorney General of New York may bring an action to enforce the Act and obtain civil penalties. The Shield Act will have wide-reaching effects, since any business that possesses private information of a New York resident — regardless of whether the company does business in New York — must comply with the law.
What do the CCPA, the SHIELD Act and statutes like these mean for the European business entity that has a virtual presence in the United States? Those entities will be expected to comply with applicable American federal and State laws and also should be scrutinized by American regulators for compliance with those laws. Moreover, if a law allows a cause of action — or if an American court recognizes a private cause of action under common law — those entities should expect to be hauled into an American court to defend themselves against allegations of statutory or common law violations.
As noted above, this is a brief summary of how European business entities that do business with digital consumers in the United States might be brought before an American regulator or court. That is the price for doing business with such consumers.