As we continue to see the economic impact of COVID-19, it is not difficult to imagine that we will see an increase in bankruptcy filings. The phrase “Data is the New Oil” is not uncommon and in fact, highlights that data in a digital economy can be one of the most valuable assets a business possesses. The “data” can be in the form of intellectual property or trade secrets, but it most likely includes the personal data a business collects on its consumers. It naturally follows that bankruptcy courts will see a rise in the number of debtors that want to use this valuable asset in bankruptcy. Specifically, debtors will sell their customer lists. These customer lists often include what is considered personal data or information which can significantly impact data privacy laws.
At the onset, it is important to understand that under most regulatory definitions of personal data, the term includes things like an individual’s name with their address, financial information, social security number, and so forth. However, the specific definition of what constitutes personal data varies state-by-state, country-by-country, and statute-by-statute.
In 2005, Congress made significant changes to the Bankruptcy Code by enacting the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (“BAPCPA”). See Pub. L. No. 109-8, § 231, 119 Stat. 23, 72-73 (2005). Included in the amendments was a definition of what constitutes personally identifiable information (“PII”) under the Bankruptcy Code. The definition included a combination of an individual’s name with their physical address, email address, telephone number, social security number, or credit card number that when taken together can identify the individual. 11 U.S.C. §101(41A). This definition of PII aligns with some laws, but newer data privacy laws tend to cast a wider net.
Traditionally, CPOs will review nonbankruptcy federal privacy laws including the Children’s Online Privacy Protection Act (“COPPA”) for children’s information, the Health Insurance Portability and Accountability Act (“HIPAA”) for medical information, and the Gramm-Leach-Bliley Act (“GLBA”) for when the debtor provides financial services. Another common law considered by the CPO has been the Federal Trade Commission Act (“FTC Act”). 15 U.S.C. §§41-58. The FTC is charged specifically with protecting consumers from unfair or deceptive business practices and can commence legal actions against companies that do not comply with posted privacy policies.
However, given the changes in the data privacy landscape, the CPO will now need to expand his/her scope of the legal review to determine if the sale of personal data complies with bankruptcy and non-bankruptcy laws (i.e., privacy laws). In addition to nonbankruptcy federal laws, a CPO must consider international data protection laws. The European Union enacted the General Data Protection Regulation (“GDPR”) which impacts many companies in the U.S. that collect data on data subjects located in the European Union. Navigating the complexities of the GDPR and whether the debtor properly collected the personal data it seeks to sell is important. A qualified CPO unquestionably needs to have a thorough understanding of both the GDPR and its extraterritorial implications.
Furthermore, a determining factor for the sale of personal data is the way that data is categorized and stored. Many organizations do not have a data inventory or data categorization that would inform a CPO of the existence and storage of GDPR impacted personal data. A CPO would need to have a thorough understanding of the nature of the data collected, the primary and secondary purpose for the collection of that data, and whether the appropriate GDPR protections were afforded that data before he/she can even begin to perform a thorough analysis of whether that data can be sold. To say that the GDPR has complicated this analysis is an understatement. However, it is definitely not the only fly in the proverbial ointment that could impact a debtor’s ability to sell the consumer data.
In the absence of a federal data protection law, states have begun enacting their own data privacy laws. The classic example is of course the California Consumer Privacy Act (“CCPA”) that went into effect on January 1, 2020. Like the GDPR, the CCPA provides strict protections to consumer data. The CCPA directly impacts businesses that “do business” in California for-profit and have: (i) gross revenues exceeding twenty-five (25) million dollars; (ii) buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices; or (iii) derives fifty percent (50%) or more of its annual revenues from selling consumers’ personal information. Cal. Civ. Code § 1798.140(c). While we do not yet have any guidance on how the courts will interpret the CCPA, it seems on the surface that it will have similar extraterritorial implications to the GDPR. Therefore, a CPO needs to also consider whether the debtor’s business activities trigger CCPA protections to consumer data, and if so, whether those protections would be violated by the sale of the consumer data in the bankruptcy proceeding.
The GDPR and CCPA are predictably not the only games in town. Illinois’ Biometric Information Privacy Act (“BIPA”) establishes standards for the retention, collection, disclosure, and destruction of biometric identifiers and biometric information. As part of its findings, the Illinois legislature cited the unique nature of biometric data, i.e., biologically unique to the individual, and then once compromised having no recourse or ability to change the data as can be done with a name or social security number. 740 Ill. Comp. Stat. Ann. 14/5(c). Moreover, Nevada’s Internet Privacy Law, which became effective on October 1, 2019, significantly expanded the previous online privacy law with the addition of opt-out obligations, changes to notice requirements, and a private right of action. Nev. Rev. Stat. Ann. § 603A.310.
Other states are also seriously considering data privacy laws. New York, Pennsylvania, Texas, New Jersey, Massachusetts, and Washington State are among a growing list of states that are either in the process of drafting new data privacy laws or are awaiting passage of such a law. Likewise, international regulations are not solely limited to the GDPR. Countries including Canada, China, Japan, Russia, South Korea, and Australia have all enacted data privacy laws. To say that the impact of data privacy laws on bankruptcy proceedings is just beginning is an obvious understatement. Thus, while bankruptcy proceedings may not have been consumer-privacy focused in the past, they undoubtedly will be in the future.
Data privacy laws always impact and implicate technology so CPOs will need to have multiple arrows in their quiver. They will need an advanced understanding of domestic and international data privacy regulations, technology, and business operations to fully assist bankruptcy courts with consumer privacy issues. Bankruptcy courts have already seen a wave of cases that implicate consumer data privacy, and that was during a good economy. So having CPOs with a depth of knowledge on the complexities of privacy regulations, both domestic and international, and how they fit with technology will certainly advantage bankruptcy courts as they decide how to balance the need of the bankruptcy estate versus the right to data privacy.
Bankruptcy courts have always had to balance the debtor’s interest by maximizing the value of the asset against the consumer’s privacy interest in his/her personal data. However, data privacy has not been a primary focus in bankruptcy law. As we see an increase both domestically and internationally of data privacy laws, more and more bankruptcy courts will be faced with considering the privacy impact on consumers when a debtor attempts to sell the personal information of its consumers. The sale of consumer data in bankruptcy proceedings is on a collision course with domestic and international privacy laws as the traditional notions of privacy are being inverted when states and countries create a privacy framework to protect the data of their citizens.
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.