News Archives

Tuesday, April 17, 2018

Supreme Court Drops Microsoft-Ireland Case

On April 17, the US Supreme Court dismissed the Microsoft-Ireland case on the grounds that Congressional enactment of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March rendered the case moot.  Microsoft had objected to complying with a search warrant for data stored in Ireland that was based upon the 1986 Stored Communications Act, contending that the Act did not address judicial accessibility to data stored abroad.  The Cloud Act resolved this matter by providing an explicit legal basis for warrants to obtain data stored on foreign servers.  After the dismissal of the case, which both the Department of Justice and Microsoft supported, the DOJ served Microsoft with a new warrant for the Irish data.  Microsoft indicated that it is reviewing the warrant, although compliance with it is not a foregone conclusion.  During five years of litigation in the case, the company had argued that warrants should only be issued on the basis of relevant bi-lateral agreements with foreign countries; none have been negotiated between the US and Ireland.

Both Privacy Shield and SCCs on the Block in Schrems Facebook Case

On April 12, the Irish High Court set forth eleven questions it intends to put to the Court of Justice of the European Union (CJEU) stemming from the complaint against Facebook lodged by Max Schrems with the Irish Data Protection Commissioner in 2013.  A separate complaint by Schrems, it will be recalled, had led to the CJEU’s invalidation of the European Commission’s Safe Harbor adequacy decision in 2015. While most observers believed that the adequacy of protections provided through standard contractual clauses would be the sole focus of what has come to be known as Schrems II, the High Court’s CJEU referral included bombshell questioning of the validity of the Privacy Shield Framework as well.  A CJEU ruling eliminating both standard contractual clauses and Privacy Shield as viable legal bases for personal data transfers from the EU to the US could severely disrupt data transfers from Europe and the U.S. businesses that depend upon them.  The Irish High Court gave Facebook until April 30 to appeal the intended referral to the CJEU, although this appears to be largely a formality.

Much of the early analysis of the Court’s ruling (for example, here) has focused on the magnitude of its potential impact upon Facebook, which is already under enormous pressure in both the U.S. and Europe because of its Cambridge Analytica data breach.  Serious as Facebook’s problems may be, they pale in comparison with the economic upheaval that might attend a near collapse of transatlantic data flows. Two mitigating factors should be noted however.  In the first place, businesses using consent or binding corporate rules as the legal basis for data transfers are unlikely to be impacted by any invalidation of standard contractual clauses and Privacy Shield. Secondly, as Max Schrems suggests in his excellent summary of the case, the CJEU might rule that only “electronic communication service providers,” would be impacted by such a CJEU ruling, since the surveillance law at the heart of its Safe Harbor case, namely FISA sec.702, only applies to them.  This would of course have enormous impact upon companies such as Facebook, Google, Amazon, Twitter, Microsoft and Apple, but might spare thousands of US companies primarily trading in goods and services.

Wednesday, March 14, 2018

CNIL Shows Pragmatic Flexibility on GDPR Enforcement

With the EU General Data Protection Regulation coming into full force and effect on May 25, 2108, the French data protection authority has announced its plans for enforcement activity once that date arrives.  Even though the adopted text of the GDPR was released nearly three years ago, in principle giving companies ample time to come into compliance, the CNIL has recognized the reality that many companies are still struggling to understand and execute the many new measures that will be required.  Demonstrating flexibility, the CNIL says that it will distinguish between two types of obligations:  the fundamental principles of data protection found in the current Data Protection Directive, and the new obligations or rights found in the GDPR, such as the right to data portability and privacy impact assessments.  

According to the CNIL, it will continue to “vigorously enforce” the fundamental principles, while focusing on helping companies understand and implement the new rights and obligations. Where companies are making “good faith” efforts to comply with the new rights and obligations, the CNIL states that sanction procedures will normally not be instituted “in the first months.”  The very concept of a “transitional period” during which the potential for significant sanctions will be held in abeyance, while vaguely defined, is both pragmatic and generous.  The February 19 guidance also waives the need for the immediate completion of a privacy impact assessment by companies whose processing was previously approved by the CNIL and addresses issues faced by companies awaiting CNIL response to their registrations. 

Tuesday, March 13, 2018

Update on Data Protection Enforcement in Russia

English-language information on data protection in Russia is hard to come by, thanks to the latest iteration of the Cold War, so an update by Hogan Lovells is worth highlighting.  The Russian DPA, Roskomnadzor, held a recent open house to publicize its 2017 enforcement activities.  If there was ever any doubt that Russian entities were paying attention to DP law, Roskomnadzor reported that over 400,000 data operators had registered with the authority through the end of 2017.  The majority of data subject complaints received by the DPA were directed against banks, housing services providers and debt collection agencies, with general website operators also a significant focus of complaints.  In a uniquely Russian approach to the latter, Roskomnadzor maintains a register of websites that violate data subjects rights.  In 2017, 453 websites were added to the register, with 176 blocked because of the seriousness of their violations, an increase in enforcement activity consistent with Roskomnadzor’s shift to systemic monitoring of entities as opposed in individual inspections.

Of particular note to US-based companies operating in Russia, the Roskomnadzor clarified that data operators should obtain separate written consent for each purpose of processing.  Such guidance is consistent with the GDPR’s requirements around granular consent, although compelling it to be in writing is not.  Finally, in contrast with the weaker protections provided by US law, Roskomnadzor stated that personal data posted by social media users should not be treated as publicly available data and should only be processed on the basis of a lawful ground.

Thursday, March 1, 2018

US Supreme Court Hears Arguments in Microsoft-Ireland Case

On February 27, the US Supreme Court heard oral arguments in United States v. Microsoft Corp., where the issue is court-described as “whether a United States provider of email services must comply with a probable-cause-based warrant…by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.”  Legal proceedings began in 2013 when Microsoft challenged a warrant by law enforcement issued under the 1986 Stored Communications Act to turn over email of a target account that was stored in Ireland, a position that was upheld by the US Court of Appeals for the Second Circuit in 2016.  Dozens of amicus briefs in the case were filed by tech companies, industry associations, advocacy groups, scholars, legislators on both sides of the Atlantic, EU member states, the European Commission and attorney generals in 35 US states.

According to a report by Reuters, Supreme Court justices appeared to be divided during the hearing, with some, like Roberts and Alito, expressing sympathy for the government’s position and others, like Ginsburg and Sotomayor, questioning whether the court should act given that Congress is considering bipartisan legislation to resolve the issue.  A more extended analysis in the Lawfare blog suggests that a decision is unlikely to be made along ideological lines, that current Congressional deliberation on the CLOUD Act may be very influential, and that issues relating to sovereignty of foreign nations and global responses to any definitive ruling were only partially addressed.  A ruling in the case is expected in June.

Tuesday, February 27, 2018

Spread of National DP Laws Continues

February brought news of progress by a number of nations towards adoption of comprehensive data protection laws.  

In Brazil, the National Congress is debating two separate bills, one in the Senate and one in the House.  The House Bill on the Protection of Personal Data is strongly influenced by the EU’s General Data Protection Regulation, even updating and strengthening GDPR requirements in a number of areas.  While the bill may secure passage in 2018, comprehensive bills have been debated in Brazil on and off since 2010 (see the December 2010 report in this blog) and the current political and economic turmoil in the country may lead to further delays.

In South Africa, the country’s Information Regulator is now expected to put the Protection of Personal Information (POPI) Act into effect in the second half of 2018.  POPI was signed into law by President Jacob Zumi in 2013, but its implementation delayed while regulatory infrastructure, capability and guidance were developed.

In India, Electronics and IT Minister Ravi Shankar Prasad stated that a report from the 10-member Srikrishna Committee on data protection was expected shortly, after which a comprehensive bill would be prepared.  In a hearing challenging the Aadhaar near the end of January, the country’s Attorney General informed the Supreme Court that a draft bill would be ready by March 2018.

In Thailand, a public consultation on a revised Personal Data Protection Bill, which incorporates a number of concepts from the GDPR, concluded on February 6.  The next steps for the bill will be its advancement to the country’s Cabinet for approval, then to the National Legislative Assembly and finally to the country’s King for final approval.

Finally, definitive effective dates for previously enacted comprehensive DP laws were reported for Bermuda and the Cayman Islands.  Bermuda’s Personal Information Protection Act, passed in July 2016, will come into full force in December 2018.  Cayman’s Data Protection Law, passed in March 2017, will come into effect a month after Bermuda's, in January 2019.

Thursday, February 22, 2018

ECHR Upholds Search of Employee Work Computer

On February 22, the European Court of Human Rights upheld the termination of a French employee on the basis of discovery of pornography on his work computer.   Eric Libert, a regional director of surveillance for SNCF, was fired in 2008 after a search of his computer revealed a large number of files containing pornographic content and what was described as forged certificates for third parties.  Libert had appealed to French courts, claiming that his employer had violated his “right to respect for private and family life,” a right guaranteed in Article 8 of the European Convention on Human Rights.  However, the courts ruled that while he had marked the files as “personal,” he should have marked them as “private,” which under French law would have prevented scrutiny by his employer.  The ECHR agreed, adding that SNCF ““had pursued a legitimate aim of protecting the rights of employers, who might legitimately wish to ensure that their employees were using the computer facilities which they had placed at their disposal in line with their contractual obligations and the applicable regulations.”  It is curious that so little consideration was given by the courts to Libert’s evident intent to keep access to certain files to himself, with the ruling apparently turning upon his use of the wrong file descriptor.

The ECHR has been active in recent years in cases involving workplace monitoring, threading the needle on this issue by deciding cases with close attention to the facts involved.  As reported in this blog, the ECHR backed the monitoring of chats and webmail accounts of a Romanian employee in January 2016, but just last month ruled against what turned out to be partially covert video surveillance of Spanish employees.  As noted in the earlier case, ECHR rulings, unlike those of the Court of Justice of the European Union, are only applicable in the member state in which the case originates.