In a case of first impression, a federal court in California rejected an attempt by plaintiff, a UK citizen, to bring GDPR-based claims against an American company on behalf of a UK putative class.  Elliott v. PubMatic, Inc., 2021 U.S. Dist. LEXIS 154053 (N.D. Cal. Aug. 16, 2021).  Because this is the first instance in which a plaintiff sought to bring a GDPR-based suit in American courts, it is a notable decision anticipated to shape the data privacy litigation landscape going forward.

Some legal background.  As summarized by the court in Elliot, the United Kingdom’s General Data Protection Regulation (“UK GDPR”) provides rules relating to the protection of natural persons with regard to the processing of personal data, and rules relating to the free movement of personal data in the United Kingdom.  This includes protections that limit the use of uniquely identifying cookie IDs where consent is not expressly granted.  The UK GDPR includes a private right of action.  While it is “materially identical” to the EU GDPR, it contains a significant substantive difference: unlike the EU’s GDPR, the UK GDPR does not require complaints to be filed in a European court.  In this case, Plaintiff asserted, he was authorized to filed suit under the UK GDPR in the United States—notwithstanding that he resided in England.

Now, let’s take a look at the (alleged) facts of the case.  Unlike Plaintiff, Defendant PubMatic, Inc. (“PubMatic”) is based in the US.  PubMatic is a digital advertising technology company.  Plaintiff alleged that “[a]s part of its business practices, PubMatic placed unique and therefore individuating identifiers in the form of cookies on Elliott’s device and used those uniquely identifying cookies to monitor and track [Plaintiff’s] U.K.-based online activities.”  Plaintiff additionally alleged that he was injured by PubMatic’s alleged internet cookie placement practices in violation of his U.K. data privacy rights.  He sought to represent a class of “[a]ll persons residing or who resided in England and Wales who used Chrome, Edge, or Internet Explorer browsers and have had a PubMatic cookie placed on their device”.

Defendant moved to dismiss under Rule 12(b)(1) and 12(b)(6), asserting arguments based on standing, forum non conveniens, and international comity.  The court ultimately granted the motion and dismissed the case after adopting the Defendant’s forum non conveniens and international comity grounds—leaving the question of standing unresolved.

First, insofar as forum non conveniens is concerned—the doctrine is based on the notion that “[a] district court has discretion to decline to exercise jurisdiction in a case where litigation in a foreign forum would be more convenient for the parties.”  A district court may dismiss a litigation once it determines that “the appropriate forum is located in a foreign country.”  This  involves the consideration of various public and private interest factors, which include such as: (i) the residence of the parties and witnesses, (ii) the forum’s convenience to the litigants; (iii) the local interest in the lawsuit, and (iv) the court’s familiarity with the governing law, among others.  The court held that in this case there was “no argument—there exists an adequate alternative forum,” particularly as Plaintiff himself was a UK resident and Defendant was willing to accept services of process in the UK if the USu litigation was dismissed.

Second, the court also held that internal comity supported dismissal of the litigation.  It is well-established that “international comity is a doctrine of prudential abstention, one that ‘counsels voluntary forbearance when a sovereign which has a legitimate claim to jurisdiction concludes that a second sovereign also has a legitimate claim to jurisdiction under principles of international law.'”  (citations omitted).  In the context of this litigation, the court found that “[t]he U.K. has a strong interest in addressing injuries to English and Welsh subjects . . . [w]hile plaintiff focuses on the California-based conduct of PubMatic, he glosses over any potential conduct by the company in the U.K. and the injuries suffered to a class of plaintiffs in England and Wales.”

So there you have it.  Because class actions are not well developed as a procedural device or commonplace in Europe, creative plaintiffs lawyers were hoping this case could start a new trend of litigating UK GDPR-based claims in US courts.  The court’s dismissal of the litigation have put a stop to that for now—although stay tuned.  Elliot is only the first decision to address this novel legal question, and the Defendant here specifically consented to accepting service of process in the UK—meaning that there may still be other test cases seeking to bring similar legal theories.  Not to worry, CPW will be there to keep you in the loop.

 

In the wake of CPW’s must-read four part series on the European Data Protection Board’s (“EDPB”)  draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR,” we have a follow up on important documents that have recently been released relating to rules governing the transfer of EU personal data.  These materials were published by the EDPB and the EU Commission.

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers (with potential significant impact on U.S. companies) – the so-called Schrems II judgment  – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).  A comprehensive overview of this must-read guidance is here.

 

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.  CPW will be re-reposting a four part series addressing the key concepts and issues covered.

This is the final post in our series  on the  Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) focusing on the updates to the concept of “third parties” and “recipients” in the draft Guidelines.  Notably, as the authors explain, this clarity is important as the GDPR refers to “third parties” and “recipients” without laying down any specific responsibilities or obligations.  The EDPB Guidelines, however, offer clarity as they consider the roles of “third parties” and “recipients” from the perspective of their relationship to a controller or processor.

Find out what it all means here.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.  CPW will be re-reposting a four part series addressing the key concepts and issues covered.

This is the third in our series of posts on the  Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) focusing on the role of joint controllers.  What is a joint controller under the GDPR? A joint controller is an entity that jointly determines the purposes and means of processing data with another controller.  Find out what it all means here.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a must-read four part series addressing the key concepts and issues covered.  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.

This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”).  In case you missed it, the first part is available here.  You can access the second part in the series here.  As the authors explain, “[a]lthough the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR.  Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks.  It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorizing data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors.”

If you are a reader of CPW, you have probably heard of the the General Data Protection Regulation (“GDPR”).  The GDPR applies to companies outside the European Union (including, that is right, United States companies) because it is extra-territorial in scope.  Which means, to overly generalize, if you collect any personal data of people in the EU and meet certain criteria, you are required to comply with the GDPR.  Even if you are based in the United States.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a fantastic, four part series addressing the key concepts and issues covered.  As Part 1 explains, “One of the baseline issues that must be considered when assessing the obligations and potential liabilities of an organization that is subject to the GDPR when it collects and processes personal data is whether the organization should be classified as a data controller or a data processor, as defined in the GDPR.  This is not a new issue, since these terms were originally introduced in the 1995 EU General Data Protection Directive and the definitions were not changed significantly by the GDPR.  Determining whether an organization is acting as a controller or processor is often not straightforward as the dividing line between these concepts is not always clear.”

Part 1 of the must read series, available here, provides an overview of the updated guidance on the concept of data processor.  Subsequent posts will deal with the concepts of data controller and joint controllers.

EU FlagThis continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form. Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)

EU FlagWe continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller.  See our previous issues on the draft Guidelines’ proposed updates to the concepts of processor here and on controller here.   Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.

Part 3: Focus on Joint Controllers

 

What is new in the draft Guidelines?

The draft Guidelines incorporate the holdings of recent judgments of the Court of Justice of the EU (“CJEU”) that expand and clarify the concepts of controller and joint controller.

What are the criteria for classification as joint controllers?

Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 3)

EU FlagThis is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”).  This post focuses on the updates to the concept of controller. See our previous post regarding the concept of processors here.  Upcoming posts will address joint controllers, “third parties” and “recipients.”

Please note that the EDPB has invited businesses to provide their feedback on the draft Guidelines by 19 October 2020.

Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 2)

EU FlagThis is the first in a series of posts that discuss the key concepts and issues addressed in a set of draft guidelines recently issued by the European Data Protection Board (“EDPB”).  Comments on the draft guidelines are due by 19 October 2020.

Part 1: Focus on Processors

On 7 September 2020, the EDPB published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.” Businesses and members of the public may provide feedback on the draft Guidelines by 19 October 2020. Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 1)