INSIGHT: Georgia Supreme Court Adds to Patchwork of State Data Privacy Laws

Weighing in on a conflict that has divided other states, the Georgia Supreme Court recently held that under Georgia law businesses do not have a duty to safeguard the personally identifiable information (PII) that they collect and store.

That holding in McConnell v. Georgia Department of Labor is a win for any business that may have to defend against a class action arising from a data breach, and also supports the argument made by many pro-business groups—and a diverse group of federal agencies, including the Federal Trade Commission—that Congress should enact comprehensive data privacy legislation that broadly preempts the ever-more complex patchwork of state data privacy laws.

To a small group of plaintiff-side class action attorneys, every announcement of a significant data breach is received with glee. Regardless of the circumstances giving rise to the breach, these attorneys swing into action, filing putative class actions in federal and state courts across the nation.

While their complaints generally allege a variety of claims, they also—almost uniformly—allege state-law negligence claims, the idea being that every business has a legal duty to safeguard the PII that it collects and stores.

Confronted with these claims, courts have divided, with some holding that every business has a common law duty to safeguard the PII that it collects and stores, while others have rejected that theory.

For instance, Pennsylvania’s Supreme Court has held that every business has a legal duty “to exercise reasonable care in collecting and storing … personal and financial information on its computer systems,” and the Southern District of California has held that the legal duty is “well supported by both common sense and California and Massachusetts law.” By contrast, the Central District of Illinois has held that no such duty exists under Illinois or Arizona law.

McConnell a Somewhat Surprising Decision

The McConnell decision is somewhat surprising, given that two federal judges from the Northern District of Georgia had already reached the opposite conclusion. Relying on the Georgia Supreme Court’s 1982 decision in Bradley Center Inc. v. Wessner, which held that businesses have a common law duty “to all the world” not to subject others “to an unreasonable risk of harm,” the two federal district court judges had held that the legal duty to safeguard PII was well established under Georgia law.

But the Georgia Supreme Court rejected their analysis. Although Georgia’s lower courts had relied on its Bradley Center decision for almost 40 years, the Georgia Supreme Court overturned Bradley Center, stating, among other things, that its key language “was not a correct statement of the law.”

The court then held that McConnell’s references to two Georgia statutes, each of which note the harms caused by public disclosure of PII, did not support his argument that a legal duty exists, as neither statute clearly states a duty to safeguard PII.

Then, without considering whether a legal duty should in fact exist under the common law, the court held that McConnell’s claim failed because he had not shown that the defendant “owed him or any other proposed class members a duty to protect their information against negligent disclosure.”

In light of the Georgia Supreme Court’s McConnell decision, plaintiff-side class action attorneys will be more inclined to file outside of Georgia and to rely, where possible, on claims arising under federal law or the law of other states. But where that is not possible, the decision will make it more difficult to certify a nationwide class that includes Georgia consumers, as it further deepens the divide among the states on whether a common law duty to safeguard PII exists.

The McConnell decision also bolsters the point made by many pro-business groups, the FTC, and several other federal agencies that Congress should enact comprehensive data privacy legislation. Many pro-business groups believe that comprehensive federal legislation should preempt existing state laws, with the result that the ever-more complex patchwork of state data privacy laws would give way to a simpler, middle-of-the-road regime that presents fewer compliance challenges and reduces litigation risks.

These groups can now point to McConnell as one more example of how state courts (and state legislatures) are taking diverse and contradictory approaches to protecting PII.

Working toward the same end, the FTC and other federal agencies favor comprehensive federal legislation because they see many consumers left without adequate safeguards. These agencies and their pro-consumer supporters can now illustrate that point with the Georgia Supreme Court’s decision in McConnell, which arguably leaves Georgia consumers with weaker data privacy protections than consumers in most other states.

From our perspective—as attorneys who regularly defend companies facing parallel government enforcement actions and class actions—we see both sides of this debate. Comprehensive federal legislation is sorely needed, but it must strike a balance that allows businesses to flourish without leaving consumers at the mercy of careless business practices.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Tim Butler regularly represents clients in high-stakes litigation, enforcement and regulatory matters. Prior to joining the national law firm Troutman Sanders, he was a senior official in the George Attorney General’s Office and, prior to that, a prosecuting attorney at the Federal Trade Commission.

Hsiao “Mark” Mao helps organizations leverage their intellectual property while mitigating their privacy risks. An experienced litigator and former IT consultant, he has successfully resolved hundreds of cases and helped take to market hundreds of data-based products.

Tiffany Bracewell represents corporations and individuals in complex civil litigation and criminal actions.

Chelsea Lamb regularly defends corporate clients in government enforcement actions, class actions and complex commercial disputes.