The U.S. Department of Justice (DOJ) arrested and charged a Chinese national with theft of trade secrets. The department alleged Hongjin Tan, 35, stole trade secrets from his employer, a U.S. petroleum company.
Assistant Attorney General for National Security John Demers said in an announcement that Tan, who is both a Chinese national and a U.S. permanent resident, is charged with stealing trade secrets related to a product, with a value of more than $1 billion, “to use for the benefit of a Chinese company where he was offered employment.”
According to the criminal complaint, Phillips 66, an Oklahoma-based company, claimed a trade secret connected to the manufacture of a battery-related product. While working for the company, Tan purportedly downloaded hundreds of files on how to engineer “Product A.”
Tan planned to release information on the product to a company in Xiamen, China, which offered employment, as well as the equivalent of $58,000 for “introducing the talent” and a guarantee that the product information was real and effective, according to a government affidavit.
Phillips 66 contacted the FBI one day after Tan gave a supervisor two weeks’ notice of his resignation and declared his intent to return to China. After Tan resigned, a review of the company’s computer systems showed he accessed hundreds of files, including reports on Product A’s engineering. Such files were considered outside the scope of Tan’s employment as a scientist for Phillips 66’s battery development group. (U.S. v. Tan, U.S. District Court for the Northern District of Oklahoma, No. 18-mj-179-JFJ, 2018)
The Illinois State Supreme Court ruled that consumers can sue over privacy violations without proof of actual injury or harm as a result of the violation. The ruling stems from a lawsuit brought by parents representing their 14-year-old son, who alleged that Six Flags violated Illinois’ biometric law when it collected the child’s fingerprints because it did not provide notice or get a signed release prior to the collection.
The state’s Biometric Information Privacy Act, passed in 2008, supervises the management of persons’ biometric identifiers, including fingerprints, iris and retina scans, face geometry and hand scans, and other related information. The act requires that private entities or organizations give written notice and receive a signed release before collecting such information and identifiers. The law also compels that private entities state how long the information will be collected and stored, and how it will be used.
The amusement park tried to have the case dismissed because it said there was no additional harm. The court held, however, that under the state’s biometric privacy law, the threshold for filing a suit is if a person’s rights under the act were violated.
In a unanimous opinion, written by Chief Justice Lloyd Karmeier, the court said a person is sufficiently aggrieved “when a legal right is invaded by the act complained of...” According to the court, the violation of rights related to biometric information “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer.… No additional consequences need be pleaded or proved.” (Rosenbach v. Six Flags Entertainment Corp. et al, Illinois Supreme Court, No. 123186, 2019)
PRIVACY. The French National Data Protection Commission (CNIL) fined Google LLC €50 million on 21 January 2019 for data protection violations that potentially deprived users of privacy guarantees.
The commission imposed the financial penalty as a result of a lack of transparency, inadequate information, and lack of valid consent to use personal data for ads personalization. CNIL received group complaints from two associations, None Of Your Business and La Quadrature du Net, on 25 May 2018 and 28 May 2018. The associations claimed Google lacked a valid legal basis to process users’ personal data, particularly for ads personalization purposes.
CNIL’s restricted committee, which examines such breaches, investigated Google’s compliance with processing operations under the French Data Protection Act and the European Union’s General Data Protection Regulation (GDPR). The committee found that Google exhibited a lack of transparency when conveying information to users and had no legal basis for ads personalization processing. The violations were not a one-time incident and are still occurring, the committee said.
The information Google provided about its processes “is not easily accessible for users,” according to an announcement from CNIL. Information that would lead to a clear understanding of Google’s processing operations, including purposes, data storage periods, or the types of personal data used for personalization of ads, is “excessively disseminated across several documents…. Users are not able to fully understand the extent of the processing operations carried out by Google.”
The committee also determined that the processing operations themselves were “particularly massive and intrusive,” due to the quantity and quality of the data processed and combined.
CNIL’s committee also found that users’ consent to process data for ads personalization was not validly obtained, since users were not sufficiently informed about what consent would entail and consent was neither “specific” nor “unambiguous.”
This fine marks the first time the committee applied the GDPR to such violations. The financial penalty, “and the publicity of the fine, are justified by the severity of the infringements,” the commission said.
“The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations,” CNIL said.
FINES. The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) increased civil penalties for violations.
OSHA issued a prepublished version of the notice on 15 January 2019 in The Federal Register. The new penalties apply only to citations issued after the effective date. Incidents that would trigger such financial penalties include, but are not limited to, monetary, employment of homeworkers without a certificate, minimum wage and overtime, child labor, and certain safety violations.
Penalties for all violations increased by $326 per violation, although the agency anticipates U.S. states will adjust their own penalty structures with federal OSHA, so far there has been little alignment with penalty increases from various state plans.
U.S. President Donald Trump signed legislation into law that extends a U.S. Department of Homeland Security (DHS) program that provides oversight of the nation’s chemical facilities.
Signed on 18 January 2019, the law (P.L. 116-2) grants a 15-month extension to the DHS’s Chemical Facility Anti-Terrorism Standards Program (CFATS).
Under the program, the DHS Infrastructure Security Compliance Division looks at the highest-risk facilities and works with the owners and operators to establish adequate security measures concerning certain hazardous chemicals to prevent their use in a terrorist attack.
Chairman of the U.S. House of Representatives Committee on Homeland Security Bennie Thompson (D-MS) introduced the legislation, which had seven cosponsors.
New York Governor Andrew Cuomo signed legislation into law that bars discrimination based on gender identity or expression.
Although the state already prohibits discrimination, harassment, and retaliation by individuals, employers, and state agencies due to gender identity, the new law amends the New York State Human Rights Law and other statutes to strengthen such protections against potential legal challenges.
Under the new law, New York will now classify criminal offenses involving gender identity expression as hate crimes. The new classification could trigger additional penalties, because a hate crime can be classified as a felony, which can result in a longer sentence. For example, a mandatory minimum sentence for second-degree murder is 15 years to life; however, if the conviction is second-degree murder as a hate crime then the mandatory minimum sentence escalates to 20 years to life.
Cuomo included the bill, the Gender Expression Non-Discrimination Act (GENDA), in his 2019 agenda. The law’s discrimination prohibitions went into effect in February 2019, and its hate crimes provisions go into effect on 1 November 2019.
Michigan Governor Gretchen Whitmer signed executive directive 2019-9 to expand sexual orientation discrimination protections for private employees and strengthen protections for the LGBT community.
The directive instructed agencies to not discriminate against employees based on sexual orientation or gender identity.
Employment protections will apply to all state employees, including classified and unclassified employees, employees of government contractors, and anyone receiving state services. The directive also extends prohibitions on discrimination based on sexual orientation and gender identity or expression.
In May 2018, the Michigan Civil Rights Commission found that the state’s civil rights law included sexual orientation and gender identity. According to the Human Rights Campaign, before the executive order went into effect, Michigan was one of 31 U.S. states that lacked comprehensive statewide nondiscrimination protections for members of the LGBTQ community.
The state’s support for such protections contrasts the actions of the Trump Administration, which in 2017 ordered the DOJ to support the position that a civil rights law that bans workplace discrimination on the basis of sex does not include transgender people.
Further opposition to the administration’s stance on the issue also arose 3 January from the U.S. House of Representatives, which passed the first rules package to ban discrimination based on sexual orientation and gender identity.
Speaker of the U.S. House of Representatives Nancy Pelosi (D-CA) said she would make the Equality Act a priority for Congress. The bill proposes comprehensive federal protections for members of the LGBTQ community.
Elsewhere in the Courts
Former Yahoo! Inc. directors and officers will pay $29 million to settle a lawsuit brought by shareholders after a series of data breaches compromised roughly 3 billion user accounts. The settlement resolves three lawsuits in California and Delaware against former company directors and officers; the shareholders claimed the executives’ management negatively impacted the company’s value and held them personally liable for actions that purportedly contributed to the series of data breaches. Previous lawsuits with similar allegations ended in settlements with relatively small financial consequences and changes to corporate governance. (Oklahoma Firefighters Pension and Retirement System v. Brandt, Court of Chancery State of Delaware, No. 2017-0133, 2019)
Atlantic Capes Fisheries, Inc., a New Jersey-based shellfish harvester and processor, and BJ’s Service Co., Inc., a Massachusetts-based staffing agency, will pay $675,000 to settle a sexual harassment and retaliation suit filed by the U.S. Equal Employment Opportunity Commission (EEOC). Women at a fishery were subjected to “ongoing and egregious” sex-based harassment since at least 2013. The lawsuit also alleged that despite knowing about the harassment neither Atlantic nor BJ’s tried to stop or punish the harassers. Instead, the companies fired two women who had filed discrimination charges with the EEOC. Women employed at the facility since January 2013 who were harassed are eligible to receive a portion of the settlement. Both companies must create or revise sex discrimination and retaliation policies. (EEOC v. Atlantic Capes Fisheries, Inc. et al., U.S. District Court for the District of Massachusetts, No. 1:17-cv-11860, 2019)
The U.S. Supreme Court agreed to take a case on banning regional transportation of certain firearms. The issue is whether New York City’s ban on transporting a licensed, locked, and unloaded handgun between a home and a shooting range outside city limits is consistent with the Second Amendment, the commerce clause, and the right to travel. (New York State Rifle & Pistol Association Inc. v. City of New York, U.S. Supreme Court, No. 18-280, 2019)