Eleventh Circuit LabMD Decision Potentially Limits FTC’s Remedial Powers

The Eleventh Circuit has issued its decision in LabMD v. FTC, a closely watched case in which LabMD challenged the Federal Trade Commission’s authority to regulate the data security practices of private companies. The Court of Appeals declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders—even those not having to do with data security.As we previously reported, the FTC faulted LabMD for failing to have “basic” data security practices. The Commission found that this failure resulted in the unauthorized disclosure of personal information pertaining to 9,300 individuals. As a result, it ruled that LabMD’s data security practices amounted to “unfairness” under Section 5 of the FTC Act. And similar to many of the FTC’s other data security cases, it ordered LabMD to reform those practicesLabMD challenged the FTC’s order in federal court. Its primary argument was that the FTC exceeded its legal authority in finding that LabMD’s data security practices were unfair acts or practices under the FTC Act. After the Eleventh Circuit stayed enforcement of the FTC’s order, some observers believed that the court might agree with LabMD on this point. This would have created a circuit split with the Third Circuit, which upheld the FTC’s authority to regulate data security under the “unfair practices” prong of Section 5 of the FTC Act. However, the Eleventh Circuit did not address the FTC’s legal authority to regulate data security. Instead, the court assumed as true that LabMD’s failure to maintain reasonable data security was an unfair act or practice under Section 5.

Although the court did not limit the FTC’s legal authority to regulate data security, the Eleventh Circuit nonetheless ruled against the FTC—and in doing so may have limited the Commission’s ability to enforce broad remedial orders.

The court began its analysis by noting that the harm at issue in the case—the unauthorized disclosure of consumers’ personal information—occurred because a LabMD employee installed a peer‑to‑peer file‑sharing application on her work computer, against the company’s policy. The opinion suggests that the FTC could have crafted a sufficiently specific order to remedy this harm by requiring that LabMD eliminate the possibility that employees “could install unauthorized programs on their work computers.” Instead, the FTC went beyond this specific occurrence and alleged that LabMD’s data security practices were deficient as a whole. As the court put it: for the Commission, “it was LabMD’s multiple, unspecified failures to act in creating and operating its data-security program that amounted to an unfair act or practice.” And in order to remedy this perceived widespread failure, the FTC’s order included “sweeping prophylactic measures” that would have regulated “all aspects” of LabMD’s data security practices.

It was the vagueness—in the court’s view—of these prophylactic measures that resulted in the Eleventh Circuit vacating the FTC’s order for lack of specificity. The court found that the order would have required LabMD to satisfy “an indeterminable standard of reasonableness” rather than instructing the company “to stop committing a specific act or practice.” And in requiring that LabMD meet this standard, the order included “precious little about how this [would have been] accomplished.” As a consequence of failing to include greater specificity in the order, the Eleventh Circuit feared that it would have fallen on a federal district court in enforcement proceedings to give concrete meaning to the order’s requirements. But because the order was “devoid of any meaningful standard informing the court what constitutes a ‘reasonably designed’ data-security program,” the district court would have no way of determining whether LabMD was complying with the order.

It is not yet clear how the FTC will respond to this decision. The Commission might seek rehearing en banc or appeal the decision to the Supreme Court in order to address some of the questions left unanswered by the Eleventh Circuit’s opinion. For example, in reaching its conclusion, the court did not discuss the long-standing “fencing-in” doctrine—under which the FTC has historically justified its broad remedial orders—although the Commission raised the issue in its brief.

If the decision stands, however, it could affect the viability of some of the Commission’s remedial powers. Many of the consent orders that the FTC has required companies to adopt—particularly those involving data security but also some related to other issues—have included broad prophylactic remedies that are similarly premised on a reasonableness standard. In the wake of this decision, perhaps some of those companies may now wonder whether their orders are also unenforceable.

The Week Ahead in the European Parliament – June 8, 2018

By Sebastian Vos on June 8, 2018 Posted in EU Law and Regulatory

Summary

Next week is plenary week in Strasbourg, France. A number of important votes, committee meetings and debates will take place. In addition, Dutch Prime Minister Mark Rutte will visit the Parliament on Wednesday to discuss the future of Europe with Members of the European Parliament (“MEPs”) and Commission President Jean-Claude Juncker.

During Monday’s plenary sitting, MEPs will debate the draft parliamentary report on CO2 emissions and fuel consumption of new heavy-duty vehicles, prepared by Rapporteur Marian-Jean Marinescu (EPP, RO). The draft report includes amendments aimed mostly at increasing transparency through new obligations, such as requiring manufacturers and Member States to submit data of newly registered vehicles. See the draft report here.

Also on Monday, the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) will vote on a draft resolution about the adequacy of the protection afforded by the EU-U.S. Privacy Shield. The resolution calls upon the Commission and the U.S. competent authorities to restart discussions on the Privacy Shield arrangement, to make it comply with the new General Data Protection Regulation. The report also promotes the setting up of an action plan to address certain deficiencies in the Privacy Shield that the Commission has identified. See the draft motion for a resolution here and the amendments tabled to the resolution here.

On Tuesday, MEPs will debate the EU’s response to the U.S. withdrawal from the Iran Nuclear Agreement with EU foreign policy chief Federica Mogherini. The EU stands united behind the Iran nuclear deal. However, the Chair of the Foreign Affairs Committee (“AFET”) David McAllister (EPP, DE) stated that other issues of concern, such as Iran’s support to the Syrian regime or ballistic missiles program, should be addressed through other means.

Bank Loans to Federal Candidates

By Robert Lenhard on June 7, 2018 Posted in Bank Regulation, Uncategorized

FEC audit reports often address obscure topics, but today one touched on an important issue for banks. At an open meeting, a majority of FEC Commissioners would not support a staff recommendation that a bank violated the campaign finance laws when it made a loan based on collateral that was commercially reasonable under the banking laws, but from a source that was illegal under the election laws. All Commissioners agreed the campaign and source of the improper collateral could face a fine from the FEC, but so long as the bank operated in a commercially reasonable way to ensure repayment of the loan, it would not face liability.

The FEC staff audited the Kelly for Congress campaign, and found that it had secured a $50,000 bank loan with collateral from a campaign donor. Under the FEC’s rules, that collateral is considered an excessive contribution by the donor to the campaign. On this point, all four FEC Commissioners agreed. But the staff went further, recommending a finding that the bank had also violated the Federal Election Campaign Act of 1971, as amended (FECA), by permitting the loan to be made with collateral that was illegal under the campaign finance laws. The FEC staff reasoned that this meant the bank loan was not made under terms that “assured repayment.” Only two of the four Commissioners supported this view. Chair Hunter and Commissioner Petersen found the regulation that permitted the agency to look at the totality of the circumstances to determine if the loan was made on a basis that assured repayment had been met when the bank followed its normal course in securing adequate collateral for the loan.

This is not the first time the FEC has reached a similar result, although the facts were a bit different here. See, e.g., MUR 5262. But its effect is significant, for it means that banks need not be as concerned with the requirements and restrictions of FECA, and can remained focused on traditional banking standards and regulations when considering federal candidate loans. As with any rule based on a “facts and circumstances” test, banks should not read these decisions as a blank check. Had the collateral offered here not been from one of the bank’s trusted customers, but a secured interest in a Russian bot farm instead, presumably the FEC would have cast a colder eye on the commercial reasonableness of the transaction. But these decisions should provide some comfort to banks considering loans to federal candidates, parties and PACs, for it will limit their exposure in many instances.

The Week Ahead in the European Parliament – June 1, 2018

By Sebastian Vos on June 1, 2018 Posted in EU Law and Regulatory

Summary

After this week’s plenary in Strasbourg, the upcoming week will see the Members of the European Parliament (“MEPs”) gather in Brussels for a committee and political group week. Next week also marks the 30th anniversary for the European Parliament’s annual Sakharov Prize, awarded to individuals or groups who have made an exceptional contribution to the defense of human rights.

On Monday, the Committee on Agriculture and Rural Development (“AGRI”) and the Committee on the Environment, Public Health and Food Safety (“ENVI”) will hold a public hearing on labeling of origin for agricultural and food products. Representatives from the Commission, Member States and the food sector will inform the Committees on how national labelling schemes work on the ground and whether existing EU rules are sufficient enough to respond to consumers’ demand for transparency and the needs of actors throughout the food supply chain.

On the same day, the Committee on the Internal Market and Consumer Protection (“IMCO”) will vote on the adoption of the draft report on the proposal for a regulation on the free flow of non-personal data in the European Union, as presented by rapporteur Anna Maria Corazza Bildt (EPP, Sweden). The proposal aims to take away existing barriers that prevent the free flow of non-personal data within the EU. It is expected that this will create a significant increase in EU GDP. See the draft report here, and the proposal for a regulation here.

Later that day, the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) will hold a hearing on the Facebook/Cambridge Analytica case. Among the speakers are former employees from both Facebook and Cambridge Analytica. They will discuss the use of Facebook users’ data by Cambridge Analytica and its impact on data protection. The draft agenda of the hearing is available here.

On Thursday morning, the ENVI Committee will consider the draft report on Health Technology Assessment (“HTA”) from rapporteur Soledad Cabezón Ruiz (S&D, Spain). HTA is a multidisciplinary assessment process that seeks to evaluate the added therapeutic value of health technologies (i.e., drugs, certain medical devices, medical treatments including surgical procedures, and measures for disease prevention and diagnosis) based on both clinical and non-clinical elements. The proposal aims to overcome a number of problems which, according to the report, cannot be sufficiently addressed without regulation at the EU-level. See the draft report here, and the proposal for a regulation here.

Also on Thursday, the Committee on Financial Crimes, Tax Evasion and Tax Avoidance will debate taxation and fight against money laundering concerning crypto currencies, digitalization and the European semester.

Meetings and Agenda

Monday, June 4, 2018

Committee on Agriculture and Rural Development and Committee on the Environment, Public Health and Food Safety

15:00 – 18:00

Public Hearing on “Labelling of Origin for Agricultural and Food Products”

Lawsuit Alleges That Self-Checkout Videos Violate the Song-Beverly Act

By David Bender and Yaron Dori on May 30, 2018 Posted in Uncategorized

A class-action lawsuit filed last month alleges that Wal-Mart’s video recording technology at its self-service checkout kiosks collects “personal identification information” in violation of the California Song-Beverly Act Credit Card Act of 1971 (“Song-Beverly Act”). The Song-Beverly Act, like analogous statutes in several other states, generally prohibits businesses from recording customers’ “personal identification information” as a condition of accepting a credit card payment.

The Complaint alleges that video recordings of a person’s eye color, hair color, and facial features constitute “personal identification information” under the Song-Beverly Act, and that clearer recordings of these features require different treatment than those made using ordinary security cameras. The Complaint further alleges that because this information allegedly is captured “throughout the entire duration of the customer’s credit card transaction,” the recording violates the statute. The Complaint characterizes the recordings as “valuable biometric data” that allegedly is collected for Wal-Mart’s “prospective business purposes, including but not limited to targeted marketing campaigns.”

Wal-Mart has removed the lawsuit to federal district court. It remains to be seen whether these novel allegations prove accurate or gain traction under the Song-Beverly Act, which to this point has not been applied to video recording technologies like those used at self-checkout kiosks.

The Week Ahead in the European Parliament – May 25, 2018

By Sebastian Vos on May 25, 2018 Posted in EU Law and Regulatory

Summary

The coming week will see the European Parliament hold a plenary setting in Strasbourg, France. Besides important votes, debates and committee meetings, this week will see visits from two Presidents and a Prime Minister.

The first session on Monday focuses on fisheries. Members of European Parliament (“MEPs”) will debate the multi-annual plan for demersal fish stocks (bottom feeders) in the North Sea and the fisheries exploiting those stocks, as described in a report by Ulrike Rodust (DE, S&D).

MEPs will also debate a report on sustainable finance by Molly Scott Cato (UK, Greens).

The Committee on International Trade will vote on whether to commence interinstitutional negotiations on a future framework for screening foreign direct investment into the European Union, on the basis of a report by Franck Proust (FR, EPP).

On Tuesday, the Parliament will hear an address by the President of the Republic of Guinea, Alpha Condé.

Thereafter, MEPs will vote on several multilateral agreements regarding trade between the EU, Norway, Switzerland and Turkey.

On Wednesday, the Prime Minister of Luxembourg, Xavier Bettel, will hold a debate with MEPs on the future of Europe. Shortly thereafter, Juan Manuel Santos Calderón, President of the Republic of Colombia, will address the European Parliament.

From the afternoon onwards, votes will be held on the mobilisation of the EU Solidarity Fund to provide assistance to Greece, Spain, France and Portugal. The related report by José Manuel Fernandes (PT, EPP) is available here. In the evening, MEPs will debate the implementation of the Ecodesign Directive – see Frédérique Ries’ (BE, ALDE) report here.

The Commission’s Proposal on Health Technology Assessment – Will the EU Member States Accept its Mandatory Provisions?

By Lucas Falco on May 25, 2018 Posted in EU Law and Regulatory

Introduction

Health technology assessment (“HTA”) is a multidisciplinary assessment process that seeks to evaluate the added therapeutic value of health technologies (i.e., drugs, certain medical devices, medical treatments including surgical procedures, and measures for disease prevention and diagnosis) based on both clinical and non-clinical elements. Until now, HTA has strictly fallen in the purview of EU Member States; they have cooperated among themselves in this field for more than 20 years on a purely voluntary basis. This has led to initiatives such as EUnetHTA, which is a network of national HTA bodies, and its various Joint Actions. Article 15 of the Cross-Border Healthcare Directive (Directive 2011/24) also provides for that national bodies responsible for HTA should cooperate on a voluntary basis. Gradually, these various actions have developed common criteria for the performance of HTA at national level. For example, the last “Joint Action 3” of EUnetHTA seeks to define common assessment methodologies, develop common ICT tools, and conduct and produce joint clinical assessments and HTA reports.

EU Member States have acknowledged the significant role that HTA plays and called on the European Commission to continue to support such initiatives (see, e.g., Council conclusions of December 6, 2014, on innovation for the benefit of patients). However, in a resolution of March 2, 2017, the European Parliament went a step further and called on the Commission to propose legislation on health technology assessment at the EU level to provide transparent and harmonized criteria to evaluate the added therapeutic value of drugs and other health technologies.

The Proposal For an EU HTA Regulation

On January 31, 2018, the European Commission introduced its proposal for a Regulation on Health Technology Assessment.

The Commission identifies several problems with the existing situation. It considers that health technology developers suffer from distorted market access, because the lack of common criteria means that they are confronted with data and evidence requests which vary between EU Member States. In addition, under the existing regime, national HTA bodies are responsible for the clinical assessment required to evaluate the added therapeutic value of health technologies; this means that all national HTA bodies perform their own clinical assessments in parallel, which generate costs and a duplication of work. Finally, the Commission deems that the current voluntary approach is not sustainable, because it is based on projects that are always run for a limited timeframe, with a limited budget, and are therefore subject to new negotiations at the end of each financial cycle.

Encryption Policy Issues in the EU

By Katarzyna Lasinska on May 25, 2018 Posted in EU Law and Regulatory

In light of increasing discussion about the public policy implications of encryption, opinions among EU Member States on how best to tackle the issue are split. Certain Member States, such as the UK, have repeatedly called for uninhibited access by national authorities to encrypted messages for national security purposes. Others recognize the legitimate security interests of users.

The EU has recognized the importance of this issue. The European Commission has therefore published a series of Communications and legislative proposals addressing encryption and access to data during criminal investigations.

Technical Measures

The conclusions drawn from a public expert consultation launched by the Commission were presented in a Communication on October 18, 2017, which laid out a number of technical measures aimed at supporting the activities of Member States on encryption.

The technical measures proposed include the following:

Strengthening Europol’s technical capabilities, in particular its decryption capabilities;
Developing a “toolbox” of both legal and technical instruments aimed at obtaining information encrypted by criminals in a facilitated manner;
Establishing a network of centers of expertise;
Establishing an observatory for future developments;
Providing training for law enforcement and judicial authorities, supported by EUR 500,000 from the Internal Security Fund in 2018;
Leading structured dialogue and collaboration with industry and civil society, and with internet service providers in particular, to help develop appropriate solutions while maintaining strong encryption.

Legislative Proposals

On April 17, 2018, the European Commission published a Communication on the Fourteenth progress report towards an effective and genuine Security Union and two legislative proposals: a proposal for a Regulation on European Production and Preservation Orders for electronic evidence (“e-evidence”) in criminal matters and a proposal for a Directive laying down harmonized rules on the appointment of legal representatives when gathering evidence in criminal proceedings. Both proposals intend to facilitate EU cross-border access to data by law enforcement authorities in criminal investigations.

EU Policy Update for Q1 2018 – Budgets and Upcoming EU Elections, Steel and Aluminum Tariffs, a “Digital Tax” proposal, and Brexit

By Jean De Ruyt, Sebastian Vos and Atli Stannard on May 25, 2018 Posted in EU Law and Regulatory

Four major issues dominated the EU agenda in the first quarter of 2018: institutional adaptations in view of next year’s elections and appointments; a threat by the United States to impose tariffs on imports of steel and aluminium; a proposal for a tax on technology companies; and the beginning of the second phase of the Brexit negotiations, focused on the transition period following the UK withdrawal.

Budget and Institutional Arrangements

On February 23, the European Council, in an informal meeting, discussed two communications from the Commission: one on the multiannual financial framework 2021-27, the other on the institutional “options” for the 2019 European elections – as to which, see our fuller analysis here.

On the budget, apart from the void left by the UK leaving the EU, the most sensitive issue discussed was the possibility of linking EU structural fund payments to Member States’ respect of “EU values.”

The institutional debate covered three main topics:

The replacement of Jean Claude Juncker, next year. The discussion in the European Council indicated clearly that the EU leaders want to get back to the letter of the treaty. Read strictly, this gives them the right to select a candidate for the Commission presidency, to be confirmed by the Parliament – and not the so-called “Spitzenkandidat” or “lead candidate” procedure, in which the chosen President must be the lead candidate chosen by the political group in the European Parliament that received the highest number of seats in the elections.

The composition of the European Parliament after Brexit. The Parliament itself had suggested placing 46 of the 73 British seats in reserve for future accessions, and distribute the remaining 27 among 14 EU countries that are currently under-represented in the Parliament. This proposal is likely to be approved, the Parliament having renounced an earlier proposal for a “transnational constituency,” with parliamentarians elected across the EU – which was not popular with most Member States.

The Week Ahead in the European Parliament – May 18, 2018

By Sebastian Vos on May 18, 2018 Posted in EU Law and Regulatory

Summary

Next week is a political group week in the European Parliament. Members of the European Parliament (“MEPs”) will hold meetings with their respective political party to prepare the plenary session, to be held in Strasbourg from May 28 to 31. However, there will also be a few interesting (committee) meetings. The upcoming week also marks the start of the 365-day countdown to the next European elections, which will take place on 23 to 26 May, 2019.

As Monday is a public holiday in Belgium, the week starts on Tuesday. It will start with a meeting between the European Parliament’s Conference of Presidents (composed of the President of the European Parliament, Antonio Tajani, and of the presidents of the various political groups) and Facebook’s CEO, Mark Zuckerberg. This meeting will be held behind closed doors. It is expected that the discussion will focus on the use of personal data of European Facebook users. The meeting will be followed by a press briefing.

On Wednesday morning, Commissioner for Budget and Human Resources Oettinger will present the Commission’s Draft Budget for 2019 during the Committee on Budgets (“BUDG”) meeting.

On Thursday, the Committee on Employment and Social Affairs (“EMPL”) will meet with Commissioner Thyssen on the recent proposal to establish a European Labour Authority.

Also on Thursday, the Committee on Constitutional Affairs (“AFCO”) will discuss the consequences for the EU of the future relationship agreement with the United Kingdom, guided by presentations by experts who produced three research papers on the topic. Please find two of the three research papers here and here; the third one is forthcoming.

On Friday 25 May, the European General Data Protection Regulation (“GDPR”) will come into force.

Meetings and Agenda

Monday, May 21, 2018

No meetings of note due to public holiday.

Tuesday, May 22, 2018

No meetings of note.

Wednesday, May 23, 2018

Committee on Budgets

11:00-12:30

Presentation of the Commission’s Draft Budget 2019 by Günther OETTINGER, Commissioner for Budget and Human Resources

Thursday, May 24, 2018

Joint meeting – Economic and Monetary Affairs and Constitutional Affairs

09:00-09:45

Discussion on amendments to the report “Amending Article 22 of the Statute of the European System of Central Banks and of the European Central Bank” (COD)
- Co-rapporteurs: Gabriel Mato (EPP, ES) and Danuta Maria Hübner (EPP, PL).

Committee on Employment and Social Affairs

09:00-12:30

Debates

Exchange of views, as part of the structured dialogue, with Valdis DOMBROVSKIS (Vice President) and Marianne THYSSEN (Commissioner)
Exchange of views with Marianne THYSSEN (Commissioner) – Presentation of the legislative proposal establishing a European Labour Authority

Committee on Civil Liberties, Justice and Home Affairs

09:00-12:30

Debates

Appointment of the European Chief Prosecutor – presentation by the political groups and discussion with Ingeborg GRAESSLE (EPP, DE), Chair of the Committee on Budgetary Control (09.00-10.00)
“Towards a Comprehensive EU Protection System for Minorities” – discussion on the study with Lina VOSYLIUTE from Centre for European Policy Studies (CEPS) (10.00-10.30)
Joint debate on opening of negotiations for an agreement between the EU and Jordan, Turkey, Lebanon, Israel, Tunisia, Morocco, Egypt and Algeria on the exchange of personal data between Europol and competent authorities of these countries for fighting serious crime and terrorism (INI), Claude MORAES (S&D, UK) – discussion on eight draft reports (10.30-11.00)
Joint debate on communication from the Commission and Council on adapting the common visa policy to new challenges and a report by Juan Fernando López AGUILAR (S&D, ES) establishing a Community Code on Visas (COD) (11.00-11.45)
Delegation to the European Union Agency for Law Enforcement Training (CEPOL), Budapest, Hungary, April 5-6, 2018 – discussion on draft mission report (11.45-12.00)

Votes (12.00-12.30)

Adequacy of the protection afforded by the EU-US Privacy Shield (RSP), rapporteur Claude MORAES (S&D, UK) – vote on draft resolution
Schengen – implementation of the remaining provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (CNS), rapporteur Monica MACOVEI (ECR, RO) – vote on draft report
Agreement between the EU and the Swiss Confederation and the EU and Iceland on supplementary rules in relation to the instrument for financial support for external borders and visa, as part of the Internal Security Fund, for the period 2014-2020 (NLE), rapporteur Claude MORAES (S&D, UK) (Swiss Confederation) and Anders PRIMDAHL VISTISEN (ECR, DK) (Iceland) – vote on two draft reports
The European Public Prosecutor (EPPO) – vote on the candidate of the European Parliament to the panel referred to in Article 14(3) of the Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office

Committee on Constitutional Affairs

09:45-18:00

Debates

Withdrawal of the United Kingdom from the European Union (Article 50 TEU) – discussion on the future of EU-UK cooperation with European Council on Foreign Relations (ECFR) representatives Mark LEONARD, ECFR’s Director and Wolfgang ISCHINGER, Former German Ambassador to the UK (10.00-11.00)

Votes (11.00-11.30)

Role of cities in the institutional framework of the Union (INI) – vote on a draft report
- Rapporteur: Kazimierz Michał Ujazdowski (NI, PL)

Workshop (14.30-16.00)

The consequences for the EU of the future relationship agreement with the United Kingdom – presentation by experts of three research papers commissioned by the Policy Department for Citizens’ Rights and Constitutional Affairs – draft programme will be available here

Friday, May 25, 2018

No meetings of note.