Justin Kingsolver

DOJ Proposes Workaround to Microsoft Ruling; United States Joins Irish Facebook Case; St. Louis Cardinals Scouting Director Sentenced to 46 Months; EU’s Advocate General Okays National Data Retention Laws; Data Protection Authority of Hamburg Becomes “Completely Independent”; 9th Circuit Suggests Password Sharing is a Federal Crime

DOJ Seeks Legislative Circumvention of 2nd Circuit’s Microsoft Ruling

Late last week, Assistant Attorney General Peter Kadzik sent a letter to Vice President Biden (in his role as presiding officer of the U.S. Senate) asking Congress to amend the Electronic Communications Privacy Act (ECPA) to permit government warrants to reach data stored overseas. This letter was written in response to the Second Circuit’s ruling earlier this month in Microsoft v. U.S., in which the Second Circuit ruled that ECPA’s data seizure provisions did not apply extraterritorially and in which Judge Lynch, in concurrence, called for congressional intervention.  For more information about the Microsoft ruling, please see the Crowell & Moring “Data Law Insights” blog post detailing the court’s decision.

ECPA reform, General Kadzik’s letter argued, will resolve cross-border data access issues for both domestic and foreign governments investigating criminal activity, including terrorism. The proposal seeks to change U.S. law to “authorize law enforcement to obtain electronic data located abroad.” Admonishing the Second Circuit’s decision, General Kadzik noted the “significant public safety implications of the Microsoft decision.”

United States permitted to join Irish Facebook Case

On July 19, 2016, the Irish High Court has granted the United States permission to join the lawsuit initiated by Austrian privacy activist and law graduate Max Schrems against Facebook as an amicii curiae party. The U.S. is now entitled to offer testimony and legal opinions in the case over the legitimacy of EU-U.S. data transfers.

“The United States has a significant and bona fide interest in the outcome of these proceedings,” Justice Brian McGovern said when approving the U.S. government’s application to join the case. According to Schrems, “the fact that the U.S. government intervenes in this lawsuit shows that we hit them from a relevant angle. The U.S. can largely ignore the political critique on U.S. mass surveillance, but it cannot ignore the economic relevance of EU-U.S. data flows.”

Schrems, who had already convinced the European Court of Justice to declare the former “U.S.-EU Safe-Harbor” Framework for data transfers from the EU to the U.S. invalid in October 2015, had launched the second complaint in December, claiming in essence that the use of European Standard Contractual Clauses instead of the invalidated Framework would not solve the underlying issue: regardless of the data transfer mechanism used, U.S.-based multinationals are subject to U.S. mass surveillance. Indeed, Schrems has a clear idea of how to solve the issue: “The solution […] can however not be that the EU waives its fundamental rights, but that the U.S. gives proper legal protection to the data of foreigners, when they use U.S. services.”

St. Louis Cardinals Scouting Director Sentenced to 46 Months for Hacking Astros’ Computers

On July 18, In the latest development in a hacking scandal that has rocked the professional sports world, a federal judge sentenced former St. Louis Cardinals director of scouting Christopher Correa to serve 46 months in federal prison for hacking into the computer system of a rival MLB team. In 2013 and 2014, Correa hacked Houston Astros scouting records, lifting individual recruits’ hitting and pitching statistics and analytics to gain competitive intelligence on the Astro’s scouting efforts.

In January 2016, Correa pled guilty to five counts of accessing a protected computer without authorization. At his sentencing hearing, Judge Lynn Hughes of the U.S. District Court for the Southern District of Texas ordered Correa to spend 46 months in prison and to pay $279,000 in restitution to the Astros. This hacking incident was, according to the New York Times, the “first known case of corporate espionage in which a professional sports team hacked the network of another team.” Commissioner Rob Manfred has stated that MLB is in the midst of an independent investigation to determine whether the Cardinals organization was involved in the hacking, and if so, to assess possible disciplinary sanctions against the team.

European Court of Justice’s Advocate General pleas in favor of communication data retention laws

In a non-binding opinion issued on July 19, 2016 in the Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v. The Swedish Post and Telecom Authority (and others), Advocate General of the European Court of Justice Saugmansgaard Øe has pled in favor of national data retention laws. Should the Court follow this opinion, this could resolve the uncertain status of existing national data retention laws and give room for the adoption of new bills.

According to AG Øe, EU Member States may adopt laws on telecommunications and internet data retention for law enforcement purposes, if certain criteria are observed. In his view, the countries are not prevented from adopting national data retention laws despite the invalidation of the EU Data Retention Directive in 2014, provided that the law respects privacy rights and is strictly necessary to target serious crime. In the aftermath of the 2014 invalidation, several Member States such as Austria, Belgium, Bulgaria, Germany, the Netherlands, Poland, Romania, Slovakia and Slowenia had rescinded their laws whereas some others had retained them.

Although opinions of the Advocates General are preliminary findings ahead of a court ruling and thus not binding for the European Court of Justice, the judges tend to mostly follow an Advocate General’s opinion. If confirmed by the judgment, the opinion could be the first step towards a balanced approach for more security in Europe, while maintaining the fundamental right of Privacy.

Data Protection Authority of the German State of Hamburg becomes “completely independent” from state administration

On July 14, 2016, the population of the German federal city state of Hamburg, represented by the state Parliament, has enshrined the independence of the Hamburg Commissioner for Data Protection and Freedom of Information (“Hamburg DPA”) in the state’s constitution.

The amendment puts the DPA in a special position, outside of the direct administration of the state Senate and without any organizational connection to a supervising authority. It thereby gives the regulator “complete independence”, as required by EU law. Apart from this strengthened position of the authority, the change of law also institutionalizes freedom of information laws in Hamburg. As a result, “[i]n the future, the existence of the freedom of information will be protected by the state constitution itself and can no longer be swept away by a mere statutory law,” according to the DPA.

Johannes Caspar, head of the Hamburg DPA, said that the changes represent an “important modernization” of the constitution and grant the authority more powers when carrying out supervisory inspections, but also more responsibility for the protection of basic digital rights. The German authority, which also had been the first European Data Protection Authority to issue fines for continued transfers of personal data from the EU to the U.S. based on the invalidated “U.S.-EU Safe-Harbor Framework” and is now seeking to increase its human resources, can therefore be expected to expand its enforcement activities.

9th Circuit Ruling Suggests Sharing Netflix Passwords is a CFAA Criminal Violation

Earlier this month, in U.S. v. Nosal, the Ninth Circuit upheld the conviction of David Nosal, a former employee of an executive search firm that left the company to start his own firm.  As he left, two other former employees logged in to the executive search firm’s database using a current employee’s password.  Nosal was convicted by a jury of violating the CFAA by accessing his former employer’s computers after his permission had been revoked.  A vigorous dissent noted that the CFAA was not intended to “make the millions of people who engage in ubiquitous, useful, and generally harmless conduct [i.e., sharing passwords] into unwitting federal criminals.”

For more information, please see the Crowell & Moring “Trade Secrets Trends” blog post on this topic.