On February 8, 2016, the French Data Protection Authority (CNIL) publicly issued a formal notice to Facebook, following a joint investigation with four other EU regulators, asking the U.S. social network provider to comply with the French Data Protection Act within three months’ time. The notice (unofficial English translation available here), outlined several alleged violations of the law, including:

  1. collection of non-user data;
  2. collection of sensitive data (sexual orientation and political/religious views) without users’ “explicit consent” (i.e., a tick box);
  3. collection of “excessive” information to verify identities (e.g., requesting medical records when users replace their surname with that of a celebrity);
  4. use of cookies without notice or consent;
  5. failure to define and observe proportional data retention periods and failure to ensure data security (e.g., stronger password requirements);
  6. failure to obtain CNIL authorization for processing related to preventing fraud and banning users; and
  7. transfer of data to the U.S. under the invalidated U.S.-EU Safe Harbor (Safe Harbor) (alleged based on the company’s privacy statement).


Continue Reading

Certain European Union (EU) Member States’ data protection authorities (DPAs) have already started to announce investigations and or “prudential measures” for data transfers solely relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor).

In the aftermath of the announcement of the “EU-U.S. Privacy Shield” (Privacy Shield), the Article 29 Working Party (WP29), comprised of all EU Member State DPAs, announced an extension of the “grace period” for U.S. data transfers based on alternative transfer mechanisms (e.g., EU standard contractual clauses and Binding Corporate Rules) other than Safe Harbor, at least until the Privacy Shield has been reviewed by WP29 (likely by the end of March 2016).


Continue Reading

In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy

On April 7, 2015 the Federal Trade Commission (FTC) announced two new U.S.-EU Safe Harbor cases. TES Franchising, LLC and American International Mailing, Inc. have agreed to settle FTC charges that the companies falsely claimed they were abiding by the U.S.-EU Safe Harbor Framework, a voluntary but enforceable framework that enables U.S. companies to transfer personal data from the European Union to the United States in compliance with the EU data protection directive’s adequacy requirement.

According to the TES settlement, TES allegedly deceived consumers about the nature of its dispute resolution procedures by noting on its website that Safe Harbor-related disputes would be settled by an arbitration agency, would take place in Connecticut, and costs would be split between the consumer and the company. Aside from the fact that it would be nearly impossible to argue that a dispute resolution process like that is “readily available and affordable,” as the Safe Harbor Framework requires, the TES policy also allegedly failed to align with the TES Safe Harbor certification filing, which stated that TES would resolve disputes through the European data protection authorities, a process which does not require in-person hearings and which costs the consumer nothing. Finally, the FTC complaint notes the alleged misrepresentation by TES that it was a licensee of TRUSTe’s privacy compliance products when in fact TES was not a licensee of TRUSTe.


Continue Reading

The Federal Trade Commission (FTC) has been at it again, settling on December 31, 2014 with Snapchat over privacy and data security concerns stemming from its text and video mobile messaging services. The settlement is instructive for gauging the FTC’s enforcement priorities and illustrates the steep costs a company can face when the FTC alleges the company has engaged in deceptive or unfair trade practices.
Continue Reading

The recent decision in Brown v. Tellermate Holdings, out of the Southern District of Ohio, provides yet another valuable illustration of the critical need for litigation counsel to take reasonable steps to educate themselves about potentially relevant ESI in the possession, custody, or control of their clients and to take appropriate measures to preserve and produce that information. The case highlights, in particular, the pitfalls associated with cloud-based ESI (specifically, a common sales app called saleforce.com) as well as the severe sanctions that can befall those who make significant missteps, as the defendant and its counsel learned in Brown.

United States Magistrate Judge Terence Kemp observed early in his decision: “Discovery did not go smoothly.” The court’s recitation of the procedural history and discovery issues in the case soon reveal this to be a significant understatement. Judge Kemp ultimately sanctioned the defendant and its counsel for failing to preserve and timely produce ESI relevant to the plaintiffs’ age discrimination suit. In addition to awarding attorney’s fees and costs incurred by the plaintiffs in filing and prosecuting various motions, the court prohibited the defendant from introducing or relying on any evidence that it terminated the plaintiffs’ employment for performance-related reasons rather than age. Judge Kemp reasoned that the defendant’s discovery failings prevented the plaintiffs from obtaining discovery relevant to that critical issue.
Continue Reading

As part of Crowell’s “Data Law Trends & Developments:  E-Discovery, Privacy, Cyber-Security & Information Governance,” Steve Byers and I examined the hottest topics in E-Discovery in Government Investigations and Criminal Litigation.  Our report begins on page 15, and explores recent trends in this rapidly expanding field and forecasts potential developments with Federal Rule

In conjunction with the 2014 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by e-discovery in this context, including

We are pleased to announce the publication of a report titled “Data Law Trends & Developments: E-Discovery, Privacy, Cyber-Security & Information Governance.” The report explores recent trends and anticipated future developments on critical issues related to the intersection of technology and the law, which affect a wide range of companies and industries. In addition, the report highlights key cases and issues to watch in 11 areas of data law, including: information governance, cybersecurity, social media, technology-assisted review, criminal law, regulatory, cooperation, privacy, cross border transfers, bring your own device (BYOD), and privilege.
Continue Reading

In a recent article published in Law360, Beware of Conditional Reponses to Discovery, Gregory J. Leighton, Kevin C. May, and Andrew S. Fraker of Neal Gerber & Eisenberg LLP discuss the growing number of cases in which federal judges have scrutinized conditional discovery responses—responses that assert objections but state that documents will be produced “subject to” or “reserving” the objections. Because the use of this type of response is commonplace, and because the potential consequences—including wholesale waiver of objections—suggested by recent decisions could be severe, the issue is worth careful consideration.
Continue Reading