With the EU’s General Data Protection Regulation (GDPR) scheduled to go into effect in May of 2018 – an ambitious effort to harmonize a patchwork of EU privacy laws and create a uniform privacy regime that restricts the collection, processing and use of individual information – Germany has become the first member state to amend its own privacy laws in anticipation of the coming changes. In May 2017, the German Federal Council (‘Bundesrat’) passed an act intended to bring the current German data protection laws in line with the requirements of the GDPR. On July 5, 2017, the new German Federal Data Protection Act (‘Bundesdatenschutzgesetz’), referred to as the German Data Protection Act, was countersigned by the German Federal President and published in the Federal Law Gazette. The Act utilizes some of the framework and concepts of the GDPR to enhance Germany’s existing data protection rules, while at the same time modifies existing German privacy rules to allow for certain data to be used more freely in cases of national security and employment. Under the new German law, employee data can be processed if “necessary” to establish or carry out the employment relationship (for example, to enforce a collective bargaining agreement)....
Author: Jeffrey L. Nagel
Second Circuit Reverses Lower Court Microsoft Decision and Holds That Email Evidence Stored Abroad Cannot Be Gathered Pursuant to Criminal Warrant Issued Under Stored Communications Act
In a prior post, we reported that Southern District of New York Magistrate Judge Francis determined that Microsoft must comply with a U.S. Government’s warrant seeking a user’s email content, even though the emails are stored in Microsoft’s datacenter in Dublin, Ireland. After the lower court declined to quash the subpoena and held Microsoft in contempt for failing to turn over customer content stored abroad, Microsoft appealed to the Second Circuit. On July 14, 2016 the appeals court issued an extensive opinion reversing the lower court’s ruling.
As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.
Anyone reading recent headlines knows that Apple, Inc. is engaged in a legal, and ultimately political, struggle with the U.S. Government over access to the cell phone of Syed Rizwan Farook, one of the shooters in the December 2, 2015 terror attack at the Inland Regional Center in San Bernardino, California. The core issue in that California proceeding is whether Apple should be forced to “create and load Apple-signed software onto the subject iPhone device to circumvent the security and anti-tampering features of the device in order to enable the government to hack the passcode to obtain access to the protected data contained therein.”
New “Privacy Shield” Agreement Seeks to Resurrect a Safe Harbor for EU-U.S. Data Transfers – Can it Succeed?
On February 2, 2016, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. It was appropriate that the announcement came on Groundhog Day, because we have been here before.
Twitter’s ubiquitous 140-character-or-less tweets are not, the company argues, sufficiently similar to email or other forms of stored electronic information to warrant lumping them together with the likes of Google, Microsoft, Facebook, Yahoo!, or Apple, all of which have agreed to restrictive limitations on their public reporting of government surveillance. Twitter has sued the U.S. Government in federal court in California to make its point.
New York Court Rules Email Evidence Stored Abroad is Subject to Criminal Warrant Issued Under Stored Communications Act
Southern District of New York Magistrate Judge Francis has determined that Microsoft must comply with a U.S. Government’s warrant seeking a user’s email content even though the emails are stored in Microsoft’s datacenter in Dublin, Ireland. The decision is likely to get widespread attention and be the subject of future court review, as it expands the reach of a government criminal warrant beyond the borders of the United States to allow for the collection of evidence abroad.
In 2006, responding to terrorist attacks in London and Madrid, the European Commission impelemented a data retention directive (the “Directive”) seeking to harmonize EU member states’ retention of certain electronic data that is generated or processed by providers of electronic communications services or public communications networks. The Directive requires, among other things, that Internet service providers retain details of network user communications and information necessary to identify particular users for at least six months and, in some cases, up to two years.
Nothing “Safe” About It: Companies That Falsely Certify Compliance with the U.S.- E.U Safe-Harbor Framework May Receive Years of Regulatory Oversight
In 2000, the European Commission and U.S. Department of Commerce developed the so-called “U.S.-E.U. Safe-Harbor Framework” as a way to foster data transfer between the United States and E.U. countries notwithstanding concerns that U.S. privacy laws do not offer the same level of protection as E.U. laws with respect to personally identifiable information. As part of the safe-harbor framework, companies that choose to enter the program must publicly declare compliance with the safe-harbor requirements, which include adherence to seven privacy principles touching on the areas of notice, access, data integrity, individual choice (opt in/out rules), security, third-party transfer, and enforcement. The principle of “enforcement” includes making sure that procedures are in place to verify a company’s adherence to the rules and a sanctions regime sufficient to ensure compliance.
Judge Scheindlin Weighs Comity Concerns and Orders Production of Documents from Bank of China Despite Violation of Chinese Laws
In Aerospatiale v. District Court of Iowa the United States Supreme Court admonished lower courts that international comity compels them to “take care to demonstrate due respect for any special problem confronted by the foreign litigant on account of its nationality or the location of its operations, and for any sovereign interest expressed by a foreign state.” As previously noted, some prominent groups such as the ABA and The Sedona Conference® recently have developed principles and standards to help courts heed that advice.