With the EU’s General Data Protection Regulation (GDPR) scheduled to go into effect in May of 2018 – an ambitious effort to harmonize a patchwork of EU privacy laws and create a uniform privacy regime that restricts the collection, processing and use of individual information – Germany has become the first member state to amend its own privacy laws in anticipation of the coming changes. In May 2017, the German Federal Council (‘Bundesrat’) passed an act intended to bring the current German data protection laws in line with the requirements of the GDPR. On July 5, 2017, the new German Federal Data Protection Act (‘Bundesdatenschutzgesetz’), referred to as the German Data Protection Act, was countersigned by the German Federal President and published in the Federal Law Gazette. The Act utilizes some of the framework and concepts of the GDPR to enhance Germany’s existing data protection rules, while at the same time modifies existing German privacy rules to allow for certain data to be used more freely in cases of national security and employment. Under the new German law, employee data can be processed if “necessary” to establish or carry out the employment relationship (for example, to enforce a collective bargaining agreement). Although this is not a substantive change from existing law, some clarifications have been made...
Author: Jeffrey L. Nagel
Second Circuit Reverses Lower Court Microsoft Decision and Holds That Email Evidence Stored Abroad Cannot Be Gathered Pursuant to Criminal Warrant Issued Under Stored Communications Act
In a prior post, we reported that Southern District of New York Magistrate Judge Francis determined that Microsoft must comply with a U.S. Government’s warrant seeking a user’s email content, even though the emails are stored in Microsoft’s datacenter in Dublin, Ireland. After the lower court declined to quash the subpoena and held Microsoft in contempt for failing to turn over customer content stored abroad, Microsoft appealed to the Second Circuit. On July 14, 2016 the appeals court issued an extensive opinion reversing the lower court’s ruling.
As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.
Anyone reading recent headlines knows that Apple, Inc. is engaged in a legal, and ultimately political, struggle with the U.S. Government over access to the cell phone of Syed Rizwan Farook, one of the shooters in the December 2, 2015 terror attack at the Inland Regional Center in San Bernardino, California. The core issue in that California proceeding is whether Apple should be forced to “create and load Apple-signed software onto the subject iPhone device to circumvent the security and anti-tampering features of the device in order to enable the government to hack the passcode to obtain access to the protected data contained therein.”
New “Privacy Shield” Agreement Seeks to Resurrect a Safe Harbor for EU-U.S. Data Transfers – Can it Succeed?
On February 2, 2016, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. It was appropriate that the announcement came on Groundhog Day, because we have been here before.
Twitter’s ubiquitous 140-character-or-less tweets are not, the company argues, sufficiently similar to email or other forms of stored electronic information to warrant lumping them together with the likes of Google, Microsoft, Facebook, Yahoo!, or Apple, all of which have agreed to restrictive limitations on their public reporting of government surveillance. Twitter has sued the U.S. Government in federal court in California to make its point.
New York Court Rules Email Evidence Stored Abroad is Subject to Criminal Warrant Issued Under Stored Communications Act
Southern District of New York Magistrate Judge Francis has determined that Microsoft must comply with a U.S. Government’s warrant seeking a user’s email content even though the emails are stored in Microsoft’s datacenter in Dublin, Ireland. The decision is likely to get widespread attention and be the subject of future court review, as it expands the reach of a government criminal warrant beyond the borders of the United States to allow for the collection of evidence abroad.
In 2006, responding to terrorist attacks in London and Madrid, the European Commission impelemented a data retention directive (the “Directive”) seeking to harmonize EU member states’ retention of certain electronic data that is generated or processed by providers of electronic communications services or public communications networks. The Directive requires, among other things, that Internet service providers retain details of network user communications and information necessary to identify particular users for at least six months and, in some cases, up to two years.
Nothing “Safe” About It: Companies That Falsely Certify Compliance with the U.S.- E.U Safe-Harbor Framework May Receive Years of Regulatory Oversight
In 2000, the European Commission and U.S. Department of Commerce developed the so-called “U.S.-E.U. Safe-Harbor Framework” as a way to foster data transfer between the United States and E.U. countries notwithstanding concerns that U.S. privacy laws do not offer the same level of protection as E.U. laws with respect to personally identifiable information. As part of the safe-harbor framework, companies that choose to enter the program must publicly declare compliance with the safe-harbor requirements, which include adherence to seven privacy principles touching on the areas of notice, access, data integrity, individual choice (opt in/out rules), security, third-party transfer, and enforcement. The principle of “enforcement” includes making sure that procedures are in place to verify a company’s adherence to the rules and a sanctions regime sufficient to ensure compliance.
U.S. Supreme Court Continues Trend of Narrowing Scope of General Jurisdiction Over Foreign Defendants
A trend is apparent only in hindsight. It is now reasonably clear that the United States Supreme Court has, over the last several years, restricted access to United States courts by litigants seeking to recover from foreign defendants for alleged wrongdoing outside of the United States. Thus, the Court has reinvigorated the presumption against the extraterritorial application of United States law (Morrison v. National Australia Bank); rejected the argument that foreign subsidiaries of a United States parent corporation would be amenable to suit based on general jurisdiction simply because a small percentage of their goods were continuously shipped to the forum state (Goodyear v. Brown); and held that the presumption against extraterritoriality applies to the Alien Tort Statute (Kiobel v. Royal Dutch Petroleum). Each decision had the effect of narrowing access to United States courts for claims against foreign corporations based upon conduct that took place outside of the United States.