On November 6, a legally blind individual filed a complaint against the NBA, alleging a violation of the Americans with Disabilities Act and seeking a permanent injunction requiring the NBA to (i) implement corporate policies that ensure website accessibility for the blind; and (ii) format its website so that it is compatible with screen reading or text-to-audio software, upon which the visually impaired rely to use the internet. Jahoda v. National Basketball Association No. 2:15-cv-01462 (W.D. Pa. Nov. 6, 2015). The complaint asserts that merely formatting the website so that it is compatible with a screen reader will not solve the larger issue: “Web-based technologies have features and content that are modified on a daily, and in some instances an hourly, basis, and a one time ‘fix’ to an inaccessible website will not cause the website to remain accessible without a corresponding change in corporate policies related to those web-based technologies.” According to the complaint, the defendant’s website denies blind individuals equal access to the site because (i) information provided by scripting language is not identified with functional text that can be read by assistive technology; and (ii) people using assistive technology do not have access to the information, field elements, and functionality required to complete and submit an electronic form.
Second Circuit Upholds District Court Decision, Applies New York’s Six-Year Limitations Period on Contractual Claims
On November 16, the Court of Appeals for the Second Circuit affirmed the Southern District of New York’s decision to dismiss a leading global bank’s complaint against a nonbank mortgage lender alleging breach of contractual obligations to repurchase mortgage loans that violated representations and warranties. Deutsche Bank Nat’l Trust Co. v. Quicken Loans Inc., No. 14-3373 (2nd Cir. Nov. 16, 2015). The bank, under its right as Trustee of the loans, alleged that the lender breached aspects of representations and warranties contained in a 2006 Purchase Agreement, including those related to (i) borrower income; (ii) debt-to-income ratios; (iii) loan-to-value and combined loan-to-value ratios; and (iv) owner occupancy. The bank’s complaint also alleged that it sent the lender a series of notification letters between August 2013 and October 2013 demanding cure or repurchase of the loans, which the lender allegedly failed to do without justification. The bank challenged the District Court’s decision by arguing that New York’s six-year statute of limitations on contractual claims did not apply because the terms of the representations and warranties contained an “Accrual Clause” placing future obligations on the lender. Read more…
Recently, the District Court for the District of Columbia issued an opinion recognizing a company’s right to maintain privacy when challenging a CFPB Civil Investigative Demand (CID). John Doe Company No. 1 v. CFPB, No. 1:15-cv-1177 (D.D.C. Oct. 16, 2015). After receiving a CID from the Bureau, the Plaintiffs requested that the CFPB allow counsel to be present at a voluntary investigative hearing; the Plaintiffs’ request and subsequent petition to the CFPB were denied. On July 22, 2015, Plaintiffs filed a complaint against the CFPB seeking a temporary restraining order (TRO) and a motion to seal the case, arguing that sealing was appropriate because (i) CFPB investigations are normally nonpublic; and (ii) sealing the case would protect Plaintiffs from the harm that an ongoing investigation would cause if it were disclosed to the public. The court applied a six-factor test established by the D.C. Circuit in United States v. Hubbard to determine whether the court records should be released, considering the need for public access to the documents, the strength of the property and privacy interests involved, the possibility of prejudice against the Plaintiffs, and other factors. In a “compromise [to maximize] the amount of information available to the public while still protecting the privacy interest Plaintiffs assert,” the court ruled to unseal the case but ordered Plaintiffs to file redacted versions of all files pertaining to the case, omitting the names of Plaintiffs and “any other information reasonably likely to lead to the disclosure of Plaintiffs’ identities.”
Maryland Court of Special Appeals Holds MCSBA Applies to Loan Broker Working with Federally Insured Out-of-State Banks
On October 27, the Maryland Court of Special Appeals held that a loan broker who originates loans in Maryland for a federally insured out-of-state bank and then repurchases those loans days later qualifies as a “credit service business” under the Maryland Credit Services Business Act (MCSBA) and must be licensed accordingly. Md. Comm’r of Financial Reg. v. CashCall, No. 1477, 2015 WL 6472270 (Md. Ct. Spec. App. Oct. 27, 2015). The loan broker argued, citing Gomez v. Jackson Hewitt, Inc., 427 MD. 128 (2012), that it was not a “credit service business” within the meaning of the MCSBA because the MCSBA did not apply to the out-of-state federally insured bank that made the loans and because the loan broker did not receive a direct payment from the consumer. The Commissioner and the court disagreed. In affirming the Commissioner’s decision and in overturning the decision of the Circuit Court for Baltimore, the Court of Special Appeals reasoned that the MCSBA applied because (i) the loan broker was engaged in the very business the MCSBA was intended to apply to (i.e. it was exclusively engaged in assisting Maryland consumers to obtain small loans); and (ii) after repurchasing the loan, the loan broker had the right to receive direct payment from consumers. The Court of Special Appeals remanded the case to the Circuit Court for Baltimore.
On October 28, the U.S. District Court for the Northern District of Illinois filed a default judgment and order against a for-profit college company to resolve litigation with the CFPB. In a September 2014 lawsuit, the CFPB alleged that the company engaged in unfair and deceptive practices by making false and misleading representations to students to encourage them to take out private student loans. The CFPB also alleged that the company violated the FDCPA by taking aggressive and unfair action to collect on the loan payments when they became past due. The court order requires the company to pay approximately $531 million in redress to student borrowers, which the company is unable to pay because it has dissolved and its assets have been distributed in its bankruptcy case. The CFPB indicated that it will continue to seek additional relief for students affected by the company’s practices despite the company’s inability to pay the judgment.
On October 13, the Northern District of Alabama entered an order compelling an employer and employee to arbitration where the employer demonstrated the existence of an electronic arbitration agreement. Yearwood v. Dolgencorp, No. 6:15-cv-00898-LSC, 2015 U.S. Dist. LEXIS 138993 (N.D. Ala. Oct. 13, 2015). The employee provided an affidavit denying ever having seen or signed such a form electronically. The court held that under the Alabama version of the Uniform Electronic Transactions Act, the burden of proving attribution of the signature to the employee falls on the employer. In support of its motion to compel arbitration, the employer offered evidence demonstrating its practice of requiring employees to complete a series of electronic forms upon hiring, which included the arbitration agreement. The employer also produced evidence demonstrating that the arbitration agreement was executed by someone using the employee’s unique access credentials (user ID and password) on the employer’s online hiring system, and that the employee’s password had to be re-entered at the time of signing. The employer also produced evidence that the employee agreed to use the electronic signature system and agreed to keep her password confidential. Weighed against the employer’s proof of its process and records demonstrating execution, the court held that employee’s blanket denial by affidavit was insufficient to rebut the proof of attribution. The court found that the signature on the arbitration agreement was attributable to the employee and ordered the parties to arbitrate.
On October 13, a Michigan Court of Appeals held, in a dispute over the execution of an electronic contract, that a party who documented its electronic presentation, execution and retention process and audit trails was entitled to summary judgment on a contract claim against a party who offered affidavits denying ever seeing or executing the electronic agreement. Harpham v. Big Moose Inspection, No. 321970, 2015 WL 5945842 (Mich. App. Oct 13, 2015). At issue was a contract for home inspection services, which the plaintiffs denied (by affidavit) ever seeing or executing at the summary judgment stage. In support of its motion for summary judgment, the defendant submitted an affidavit describing its usual process for the delivery of electronic contracts to customers via email by a secure link. In addition, the defendant’s affidavit also described an audit trail which showed: (i) when the agreement was posted to the defendant’s secure website; (ii) the date a link to the agreement on the secure website was emailed to the plaintiffs; (iii) the two times someone using plaintiff’s access credentials to the secure site accessed the agreement; (iv) that someone using the same credentials signed the agreement electronically by clicking a button indicating acceptance; and (v) that the defendant generated and stored a record of that agreement. The court noted that under Michigan law, where the party seeking to enforce the signature has provided admissible evidence of attribution, mere conclusory statements regarding the authenticity of a signature are insufficient to avoid summary disposition. The person denying the authenticity of the signature must provide some admissible evidence countering the evidence supporting attribution.
On October 16, the Article 29 Working Party (Working Party) released a statement regarding the October 6 Court of Justice of the European Union’s decision to invalidate the adequacy of the U.S.-EU data protection Safe Harbor framework. The EU Court recently declared that the Safe Harbor Framework fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” In response to the EU Court’s decision, the Working Party provided the following guidance on the implementation of the judgment: (i) a broad analysis of third country domestic laws and international commitments must be applied when determining if data transfers meet adequacy standards; and (ii) Member States and European institutions should hold open discussions with U.S. authorities to “find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” The Working Party noted that it will continue to monitor the Irish High Court for developments concerning the Schrems opinion, but that “[i]f by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
On October 14, the Court of Appeals for the Third Circuit ruled the recipient – intended or not – of a prerecorded call has standing under the TCPA, so long as the recipient has sufficient ties to the number called. Leyse v. Bank of America NA, No. 14-4073 (3rd. Cir. Oct. 14, 2015). In 2011, a roommate of the intended recipient sued a financial institution after answering a prerecorded telemarketing call seeking to advertise credit cards on behalf of the financial institution. In 2014, the District Court of New Jersey dismissed the case on the grounds that the plaintiff was not the intended recipient of the call and, therefore, lacked standing. The Third Circuit vacated that ruling, holding that the TCPA’s “zone of interests encompasses more than just the intended recipients of the prerecorded telemarketing calls” and that “[l]imiting standing to the intended recipient would disserve the very purposes Congress articulated in the text of the Act.”
BuckleySandler Files Amicus Curiae Brief on Behalf of Industry Group in RESPA Case; Marks First Appeal Against CFPB Director Decision
On October 5, BuckleySandler attorneys filed an amicus curiae brief on behalf of the Consumer Mortgage Coalition (CMC) in the first case to come up on appeal to the District of Columbia Circuit since the CFPB was founded in 2011. In the CMC’s brief, BuckleySandler attorneys argued that the CFPB Director’s decision to ignore the decades-long interpretation of Section 8 of RESPA will harm consumers by eliminating an important form of risk retention, making the home mortgage closing process more difficult and expensive for consumers, and will particularly harm the country’s least affluent mortgage borrowers.
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred. Read more…
On September 30, the former CFO of Siemens S.A.-Argentina pleaded guilty in a federal court in New York to conspiring to pay nearly $100 million dollars in bribes to Argentinian officials. The former executive, Andres Truppel, who is a German and Argentinian citizen, pleaded guilty to conspiracy to violate the antibribery, internal controls, and books and records provisions of the FCPA, and conspiracy to commit wire fraud. As described in the U.S. Attorney’s Office for the Southern District of New York’s press release, the violations stemmed from Siemens’ bid to win an Argentine government contract worth $1 billion to create a national identity card system. Mr. Truppel faces up to five years in prison and three years of supervised release when he is sentenced; there is no information on when sentencing will occur.
Truppel was one of eight former Siemens executives indicted in 2011 on charges of conspiring to violate the FCPA and other statutes (see previous BuckleySandler coverage here and here). Siemens itself reached a record $800 million resolution in 2008 with the DOJ and SEC related to FCPA violations in numerous countries, including Argentina. Siemens S.A.-Argentina pleaded guilty to conspiracy to violate the FCPA’s books and records provisions as part of that resolution.
European Court of Justice Ruling on Validity of U.S.-EU Data Sharing Agreement Scheduled for October 6
Following up on an opinion issued on September 23 by the European Court of Justice Advocate General Yves Bot, the European Court of Justice is scheduled to issue its ruling on the validity of the U.S.-EU Safe Harbor Program on October 6. The High Court’s swift decision to issue judgment follows an opinion from the Advocate General advocating that the 2000 data sharing agreement between the U.S. and the European Union is invalid and inadequately protects Europeans’ personal data. Previous InfoBytes coverage can be seen here. The case is Schrems v. Data Protection Commissioner.
In an opinion that has the potential to seriously disrupt how U.S. companies can share data from Europe, on September 23, Advocate General (AG) Yves Bot of the Court of Justice of the European Union (CJEU) declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” This is because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolutions have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies.
The EU’s 1995 Data Protection Directive (“Directive”) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the European Commission, U.S. companies participating in the U.S.-EU Safe Harbor Framework for personal data protection have been deemed to be compliant with that requirement. AG Bot’s opinion, however, calls that 2000 decision invalid. “To my mind, the existence of a [Commission] decision” on the sufficiency of a country’s personal data protection regime “cannot eliminate or even reduce” the powers of each EU member state’s Data Protection Authority, under Article 28 of the Directive, to independently assess the sufficiency of that country’s personal data protection regime. This opinion thus turns the power back over to individual EU countries to assess U.S. companies’ personal data protections, potentially leading to a fractured and technologically daunting state of digital commerce in Europe.
Negotiations are underway for a new U.S.-EU Safe Harbor Framework, but if AG Bot’s opinion is followed, no Framework would prevent country-by-country determinations of the sufficiency of a U.S. company’s personal data protections.