The 2021 Proposed Virginia Consumer Data Protection Act- New Protections for Virginia Consumers, Burdens for Virginia Businesses

By: Michael H. Gladstone, Esq. Mike's Bio

Senators Marsden and Dunnavant introduced Senate Bill No. 1392 this session, a bill providing a “Consumer Data Protection Act” for Virginia. Code of Virginia §§ 59.1-579 – 580. The Act authorizes consumers to determine, by inquiry to a controller, whether or not their personal data is being processed by a data controller or processer and, if it is, on a qualified basis (only “commercially reasonable efforts” required) to correct inaccuracies, obtain a copy of the data, and opt out of future processing, and to delete the data. The bill has a delayed effective date of January 1, 2023.

Terms utilized in the Act and their lengthy definitions have the ring of the European General Data Protection Regulation (GDPR), however, in comparison, the Act’s effect is much more modest.  

Which Businesses Qualify?

The Act limits its application to data controllers and processers conducting business in the Commonwealth or businesses which produce products or services targeted to Virginia residents and which control or process personal data of at least 100,000 consumers, or control or process data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. The Act’s coverage is not, thus, strictly limited to businesses which

Read More

Early Pattern Emerges for Federal Consideration of GDPR-based Objections to Discovery

A Series By: Michael H. Gladstone, Esq. Mike's Bio

In Finjan, Inc. v. Zscaler, Inc., 2019 U.S. Dist. LEXIS 24570 the USDC for the Northern District of California addressed an objection by Defendant to discovery propounded by Plaintiff seeking emails possessed by one of defendant’s European employees.  The objection argued the employee’s emails may not be produced without violating privacy requirements contained in the GDPR, which became effective in May, 2018.  The Court approached the dispute methodically and provided what this author predicted may be a model for future analysis of discovery objections under the GDPR by U.S. Courts of such disputes. 

[Are You Within the Reach of the GDPR?]

The Court first announced the general rule that “…a foreign country’s statute precluding disclosure of evidence does “not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.”  Societe Nationale Industreille Aerospatiale v. United States Dist. Court for Southern Dist., 482 U.S. 522, 544 n. 29, 107 S. Ct. 2542, 96 L Ed. 2d 461 (1987).  The Court then identified the considerations pertinent to the question whether or not a foreign statute excuses non-compliance with a U.S. discovery order:  1. The importance of the documents or other information requested to the litigation, 2. The degree of specificity of the request, 3. Whether the information originated in the United States, 4. The availability of alternative means of securing the information, and 5. The extent to which noncompliance would undermine important interests of the United States.  Richmark Corp. v. Timber Falling Consultants, 959 F. 2d 1468, 1475 (9th Cir. 1992). 

The Court addressed the factors individually. 

Consideration No. 1: The importance of the documents or other information requested to the litigation. The court concluded the documents were directly relevant to the infringement issue and the data subject’s knowledge of the patented technology at issue.  As such, this consideration weighed in favor of disclosure. 

Litigation Participants Subject to GDPR Must Justify their Use of Protected Data

Consideration No. 2: The degree of specificity of the request. The court found the

Read More

General Data Protection Regulation in U.S. Litigation through Mid-Summer 2019

Originally published by International Association of Defense Counsel (IADC), Defense Counsel Journal Volume 86, No. 4

IN JANUARY 2012, the European Commission set out plans for data protection reform across the European Union. One of the key components of the reforms was the introduction of the General Data Protection Regulation (GDPR).1

The GDPR is a comprehensive set of rules designed to give European Union citizens more control over their personal data. The GDPR applies, generally, to any organization operating within the European Union, as well as organizations outside of the European Union which offer goods or services to customers or businesses in the European Union among others. Almost every major corporation in the world is affected by this legislation. This legislation came into force across the European Union in May 2018.

There has been considerable uncertainty how GDPR will be addressed in litigation commenced in the United States. However, as a year has passed, motions relating to GDPR are beginning to be adjudicated, and trends are starting to occur. This article provides a detailed summary of courts’ treatment of GDPR-related arguments and summarizes the potential impact of GDPR on United States litigation.

I. Impact of GDPR currently

As of July 19, 2019, eleven federal cases reference “GDPR” or the “General Data Protection Regulation.” No state court cases appear. Of the cases returned, four are from the United States District Court for the Southern District of New York,2 and two are from California,3 one  from the Central District of California and the Northern District of California. The remaining five cases originate from District Courts in Washington, Maryland, Alabama, Utah, and Florida.4

These eleven cases generally involve discovery disputes, often in intellectual property matters. In these scenarios, the responding party has raised GDPR as a bar or impediment to

Read More

GDPR Issues in U.S. and International Litigation and Arbitration

On November 30, 2018, I had the privilege of serving as a panel member on an International Association of Defense Counsel (IADC) presentation addressing GDPR in International Dispute Resolution.   The other panel members were: Robert Bond, of Bristows, in London, England; Alexandra Simotta, of Six-Group, in Vienna, Austria; and Janis Block, of CMS in Cologne, Germany.  The panel’s objective was to explore the issues arising under the GDPR in international dispute resolution, whether in arbitration or court litigation.   My responsibility was to offer a U.S. trial counsel’s response to the subject.   This article shares a few of the ideas raised during the panel, and a few which have occurred to the author in response to hearing from my fellow panel members. 

Read More

An Approach for U.S. Companies to the GDPR

By. Michael H. Gladstone, Esq. 

Once GDPR applicability is determined, a host of significant responsibilities apply to US Controllers and Processors of EU subject personal data. The duties extend to the data subject, the EU and its supervising authority, and between Controllers and Processors. Significant adjustments may be required on both the security and informational side of Controller and Processor technology to comply with the notice and subject response obligations imposed on Controllers and Processors. The security by design concepts of the regulation will expose many gaps in current processing capacity. GDPR compliance management will become an administrative function in covered businesses whether or not they operate at a level requiring data processing assessments or designation of a DPO. Companies that resist compliance risk not just enforcement but loss of business relationships with customers obliged to comply.

Read More

GDPR Effective Date Imminent-Is Your Business Ready?

By: Michael H. Gladstone, Esq. 

On May 25, 2018, the European Union (EU)  “General Data Protection Regulation” (GDPR)  becomes effective.  Many U.S. businesses are just waking up to the possibility that this regulation may pertain to them. For U.S. entities with any contact with EU subjects and their personal data, the question whether the GDPR applies to them is a serious one which should be carefully studied. 

The GDPR imposes an extensive set of duties and burdens on “covered entities," and sets out breathtaking penalties for violation of the regulation. Breathtaking here means 4% of worldwide revenue, or 20 million Euros, not counting damages to the violated data subject. The scope of personal data covered by the regulation and utilized by data recipients and users (called “controllers” and “processors” of personal data) coupled with the GDPR’s  expanded territorial reach (compared to the predecessor EU rules concerning protection of personal data) ensures a significant number of U.S. businesses, which might intuitively or superficially conclude otherwise, may be covered by the regulation. The GDPR presents an unprecedented effort by a governmental unit to protect the privacy of its subjects’ personal data.  

Read More