As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.
Anyone reading recent headlines knows that Apple, Inc. is engaged in a legal, and ultimately political, struggle with the U.S. Government over access to the cell phone of Syed Rizwan Farook, one of the shooters in the December 2, 2015 terror attack at the Inland Regional Center in San Bernardino, California. The core issue in that California proceeding is whether Apple should be forced to “create and load Apple-signed software onto the subject iPhone device to circumvent the security and anti-tampering features of the device in order to enable the government to hack the passcode to obtain access to the protected data contained therein.”
New “Privacy Shield” Agreement Seeks to Resurrect a Safe Harbor for EU-U.S. Data Transfers – Can it Succeed?
On February 2, 2016, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. It was appropriate that the announcement came on Groundhog Day, because we have been here before.
Twitter’s ubiquitous 140-character-or-less tweets are not, the company argues, sufficiently similar to email or other forms of stored electronic information to warrant lumping them together with the likes of Google, Microsoft, Facebook, Yahoo!, or Apple, all of which have agreed to restrictive limitations on their public reporting of government surveillance. Twitter has sued the U.S. Government in federal court in California to make its point.
Nothing “Safe” About It: Companies That Falsely Certify Compliance with the U.S.- E.U Safe-Harbor Framework May Receive Years of Regulatory Oversight
In 2000, the European Commission and U.S. Department of Commerce developed the so-called “U.S.-E.U. Safe-Harbor Framework” as a way to foster data transfer between the United States and E.U. countries notwithstanding concerns that U.S. privacy laws do not offer the same level of protection as E.U. laws with respect to personally identifiable information. As part of the safe-harbor framework, companies that choose to enter the program must publicly declare compliance with the safe-harbor requirements, which include adherence to seven privacy principles touching on the areas of notice, access, data integrity, individual choice (opt in/out rules), security, third-party transfer, and enforcement. The principle of “enforcement” includes making sure that procedures are in place to verify a company’s adherence to the rules and a sanctions regime sufficient to ensure compliance.
Can You Find Me Now?: New Jersey Supreme Court Says Police Need a Warrant to Access Location Information From a Cell Phone
“Advances in technology offer great benefits to society in many areas. At the same time, they can pose significant risks to individual privacy rights.” So begins the recently-issued unanimous decision of the New Jersey Supreme Court in State v. Earls, in which the Court found that “cell-phone users have a reasonable expectation of privacy in their cell-phone location information” and, therefore, under the New Jersey Constitution, “police must obtain a search warrant before accessing that information.” Coming at a time when the public’s attention is particularly focused on the tension between technology and privacy, this opinion represents a groundbreaking new rule of law on the constitutional limits of new methods of tracking and surveillance. (See also the U.S. Supreme Court’s 2011 decision in United States v. Jones and the New York Court of Appeals’ recent opinion in Cunningham v. New York State Department of Labor.) With this unprecedented decision, the New Jersey Supreme Court becomes the first state supreme court to find a constitutionally-protected privacy right in the location of a personal cell phone.
In U.S. v. Hamilton, the United States Court of Appeals for the Fourth Circuit found that a husband who sent messages from his work email account to his wife, yet took no steps to protect the sanctity of those emails, waived the marital communications privilege, thus subjecting the emails to disclosure during discovery. This case serves as an important reminder that employees do not necessarily enjoy an expectation of privacy in the emails they send from their work accounts or while using their employers’ computers.
Taking Over Former Employee’s LinkedIn Account Not a Violation of Federal Law, According to Pennsylvania District Court
A Pennsylvania Federal District Court has decided that an employer did not violate the Federal Computer Fraud and Abuse Act (“CFAA”) or the Federal Lanham Act, when it took control of a departed employee’s LinkedIn account. The Court ruled that (1) the CFAA, which in part prohibits unauthorized access to a computer with the intent to defraud, did not come into play and (2) no trademark infringement in violation of the Lanham Act had occurred.
Show Some Respect: International Privacy and Comity Concerns May Become More Important in Foreign E-Discovery Disputes
Twenty-five years ago in Aerospatiale v. District Court of Iowa the United States Supreme Court admonished lower courts that international comity compels them to “take care to demonstrate due respect for any special problem confronted by the foreign litigant on account of its nationality or the location of its operations, and for any sovereign interest expressed by a foreign state.” And for the last twenty-five years, courts generally have not heeded that advice, giving short-shrift to the idea that foreign privacy or data protection laws must be enforced if the result is to limit discovery of relevant information. At the urging of lawyers and several influential organizations, that could finally be changing.
On October 3, 2011, the United States Court of Appeals for the Ninth Circuit determined that the Electronic Communications Privacy Act of 1986 (“ECPA”), 18 U.S.C. §§ 2510 2522, applies to foreign citizens, giving them the same privacy protections Congress afforded U.S. citizens in connection with the disclosure of electronic data by third-parties service providers.