Much has been made of the “Brussels Effect”: countries all over the world seem to be following the EU’s lead in enacting comprehensive data protection regimes modelled off the EU’s General Data Protection Regulation (GDPR). It’s even beginning to catch on in the US. For example, the newly passed California Privacy Rights and Enforcement Act (CPRA) was created in part to bring California’s existing privacy law, the California Consumer Privacy Act (CCPA), closer to GDPR standards. But when it comes to privacy litigation, are the US and EU drifting closer together, or further apart? This blog is the first in a series that attempts to answer that question.
Class and mass lawsuits are old hat in the United States and Canada, but they’re relatively new to Europe. The rise of mass claims in Europe is one area in which the US and European experiences are beginning to converge. Privacy litigation is perhaps the ultimate “negative value suit”: because individuals generally suffer next to zero concrete harm from supposed violations of their privacy, virtually no individual has an economic incentive to pursue privacy litigation if they have to go it alone. This means that a privacy case typically is viable only if the claims of many individuals are aggregated in one case. Because class actions have been an integral part of the American judicial system since 1938, privacy litigation in the US is now well established. The rise of mass claims in Europe means that significant privacy litigation is likely to emerge there, too.
The convergence of the US and European experiences should not be overstated. Mass claims in Europe look markedly different than class actions in the United States. In general, European plaintiffs are required to do more work for less payout than their American counterparts. Unlike the US, which has opt-out class actions, most European jurisdictions have an “opt-in” system, under which individuals are required to take proactive steps to become a member of the proposed class. Unlike the US, where plaintiff firms take on class cases on a contingency basis, bankrolling mass litigation is a sizeable hurdle in Europe. Many jurisdictions impose significant restrictions on third party funders and the types of advertising plaintiff-side law firms may use. And if a class is ultimately unsuccessful, European plaintiffs are required to pay a substantial portion of the defendant’s legal fees, unlike in the US where plaintiffs suffer few if any consequences for bringing a strike suit. Another difference between the EU and US is the identity of the claimant. The plaintiff in a US class action must be an injured person who meets a number of procedural requirements in order to represent a class of similarly situated persons. But in Europe, privacy organizations like NOYB (“None of Your Business”) have essentially become professional litigants, pursuing privacy claims on behalf of masses of people.
Another area of convergence is in the terms of debate when these suits arise. In both the US and Europe, privacy litigation tends to kick off with a debate about the nature of the harm that claimants are alleging: is it concrete enough to support a court case, while at the same time similar enough from claimant to claimant to support a class or mass action? In the US, class representatives need to allege an “injury in fact” sufficient to show they have standing to pursue a claim in federal court. They also must show that their injury is typical of injuries suffered by others in the class and that the injuries of all class members are capable of common proof. These requirements are echoed in the UK’s new collective action procedure. In the UK, individuals can bring class actions so long as they “fairly and adequately act in the interests of the class members.” UK claimants must also have "the same interest" as the larger class at all stages of the proceedings.
With a number of plaintiff-side firms handling privacy litigation on both sides of the Atlantic, we’re seeing a lot of the same arguments being made in the US, the UK, and continental Europe. So it’s not surprising that courts in the US and Europe are starting to look at and cite decisions and statements by authorities in other jurisdictions when issuing rulings. For example, one US court recently cited the UK’s Information Commissioner to hold that plaintiffs in a data breach case had suffered harm because they lost the value of their personal data.
Hints of international influence have shown up in US judicial opinions in other ways, particularly as more corporations with global reach adopt international best practices. After a significant data breach in July 2019, plaintiffs in a consolidated class action against Capital One highlighted language from Capital One’s privacy policy in their brief opposing defendants’ motion for summary judgment. The privacy policy stated that: “we will protect [your] information with controls based upon internationally recognized security standards, regulations, and industry-based best practices.” In his decision denying Capital One’s motion for summary judgment on a number of plaintiffs’ claims, including a breach of contract claim, a Virginia federal judge held that “the statements made in the Privacy Notices…communicate a definite promise to maintain the security of Plaintiffs.” The court found that the privacy notices, which Capital One stated “govern your Account with us,” were contractual obligations that held the company to “internationally recognized security standards.”
Now, “international recognized security standards” could mean a number of things. The evidence at trial might establish that this phrase should be understood to refer to a specific internationally recognized security standard like ISO27001. Because so many cybersecurity standards are international, this could mean that courts across the world might end up applying the same standards. On the other hand, the evidence at trial might establish that the phrase should mean something more amorphous like “international best practices.” In that case, the court would likely look at practices across borders to assess the defendant’s security standards.
There is one area in which US courts have not embraced international privacy norms: discovery. Discovery objections based on the GDPR have largely been unsuccessful in US litigation, where discovery requests often seek production in the US of data stored in the EU. According to the International Defense Counsel Journal, there has been a marked uptick in discussions of EU law in US discovery disputes. As of July 2019, at least eleven published federal cases mentioned ‘GDPR’ in discovery disputes, usually tied to IT matters. Courts have used a variety of different tests to reject GDPR defenses, reflecting a consensus – at least as of this writing – that US interests in fulsome discovery and preserving fairness in fact-intensive litigation outweigh GDPR compliance concerns. The balance of courts have tended to agree with the SEC’s argument in SEC v. Telegram that “invoking the words ‘foreign data privacy’ is not a talisman that exempts [a defendant] from its discovery obligations.” Although US courts appear concerned about EU privacy laws when the focus is on the data involved in the breach itself, they seem less eager to protect data under EU law when it comes to a party’s discovery obligations in litigation.
Although the continents have drifted closer by holding international companies to a higher privacy standard, the US continues to hold steady to its pro-discovery foundations. This will be an important year to watch whether the nod some US courts have given to European data privacy laws portends a broader shift in the privacy litigation sphere. In our next blog in this series, we consider how laws adopted in some jurisdictions are incentivizing other jurisdictions to adopt similar laws, thereby creating a convergence organically.