Transnational Discovery

On January 13, 2020, U.S. District Court Judge Castel of the Southern District of New York in SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (PKC) granted the motion of the U.S. Securities and Exchange Commission (“SEC”) to compel Telegram Group Inc., a technology company best known for its secure messaging app, to produce overseas bank records (Dkt. 67). The SEC had sought these records “fully unredacted” on an expedited basis in support of its claim that Telegram engaged in an unregistered securities offering (Dkt. 52). Telegram objected to any production, asserting that the records were of questionable relevance, that they contained banking and personal information protected by a host of foreign laws, and that it would be unduly burdensome to “to cull through these records and redact the personal information of non-U.S. persons and entities subject to foreign data privacy law protections.” (Dkt. 55). In a short decision, the Court ordered Telegram to produce the records on a tight timeline, holding that “[o]nly redactions necessitated by foreign privacy laws shall be permitted, and a log stating the basis for any redaction shall be produced at the same time the redacted documents are produced.”

There are a few key takeaways from this decision. First, the Court recognized foreign data privacy laws as legitimate grounds for withholding otherwise discoverable information. Defendant was not given a blank check to redact; rather, the Court required Telegram to log the basis for any privacy assertions, and one can expect the SEC will closely question Telegram on the redactions. At the same time, the Court clearly did not agree with the SEC’s characterization of data privacy laws as “blocking statutes” to be ignored, and was not swayed by its complaints that Telegram had not shown that such laws require deference. This is consistent with an observed general heightened sensitivity to data privacy and data security interests in the U.S. and abroad.

Judge Castel’s approach represents a change from U.S. courts’ prior dismissive treatment of similar disclosure objections. Courts traditionally would apply a multi-factor comity analysis that generally prioritized U.S. discovery interests over those of conflicting foreign laws and ultimately required unredacted production. See, e.g., Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y. 2016) (requiring unredacted production of data protected by the then EU privacy regulation, the 1995 EU Directive 95/46/EC, based on comity analysis set out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987) (hereinafter “Aerospatiale”)). Certainly, the SEC pushed for the customary approach, but Judge Castel appears implicitly to have to have resolved in short form (or skipped over) the Aerospatiale comity analysis and accepted the legitimacy of foreign restrictions on disclosure in U.S. proceedings.Continue Reading Burden of Compliance With Foreign Data Privacy Laws Does Not Justify Withholding of Banking Records

The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) turned one year old on May 25th. European data protection regulators celebrated by continuing to work through a rising number of complaints and infractions, and by stepping up their monitoring for violations. US companies are directly in the crosshairs. Whether based in the EU or not, a company is potentially subject to the GDPR (and its stiff fines up to 4% of annual global revenue) if it offers goods or services to data subjects located in the EU, or monitors individuals’ online behavior or personal information in the EU. This means that a US company engaged in the common business practice of collecting data from its EU customers must assess and implement business practices to ensure GDPR compliance.

The US and EU engaged in approximately $1.3 trillion dollars in trade last year. With that level of economic activity, and accompanying data flows, many US companies should already have in place the basic structures for GDPR compliance. However, recent surveys suggest that a significant number of companies impacted by the GDPR are still grappling with compliance. In a recent Forrester Research study, “Security Through Simplicity,” over half of the responding IT decision-makers revealed that their companies had not yet carried out even basic GDPR compliance steps such as vetting third-party vendors, hiring data protection officers, training employees, setting up mechanisms for the “72-hour data breach notification” requirement, and collecting evidence and documenting efforts to address GDPR compliance risks. Further, only about 4,650 US companies are currently registered and self-certified with the EU-US Privacy Shield framework (compared to the over 100,000 mid- to large-sized companies in the US, according to business census data). Such certification goes a long way toward permitting a US company to receive certain EU data in a GDPR compliant manner.Continue Reading At the GDPR’s First Anniversary, the Impact on US Companies Grows

“Pokémon Go” Developer feels the heat over data collection; 2nd Circuit Ruling limits government’s access to data stored overseas; 9th Circuit CFAA Ruling increases Facebook’s control over its Users’ Data; Dutch Study reveals tension between EU Trade Deals and Data Protection

“Pokémon Go” Developer in Hot Water over Extensive Data Collection Practices

In early July, mobile game developer Niantic released “Pokémon Go,” a free-to-download “augmented reality” game for Android and iOS devices. In less than a week, the game had been downloaded by more than 15 million unique users, making the game’s launch one of the most widely-adopted in history. Privacy advocates soon raised serious questions about the game and its accompanying privacy policy, which until July 12 granted full access to users’ Google account data unless users opted-out of such permissions—prompting Niantic to issue its first update resolving the permissions issue.

On July 12, Senator Al Franken (D-MN) sent a letter to Niantic CEO John Hanke demanding the company explain in detail the types of data Niantic collects from players, why that data “in necessary for the provision or improvement of services,” and how the company plans to use the data gathered. Franken’s letter also questioned the company’s opt-out data collection practices, suggesting that “Niantic consider making this collection/access opt-in.”  Franken, who serves as the Ranking Member on the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law, has in the past spoken out against similar practices by other mobile app developers, including Uber and Lyft. Mr. Hanke has until August 12 to respond to Sen. Franken’s questions.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of July 9

The Second Circuit today issued a much-anticipated ruling holding that U.S. firms are not required to turn over user data stored overseas, even in the face of a government warrant.  This decision arose from Microsoft’s December 2014 appeal of a civil contempt ruling against the tech giant for refusing to turn over the personal data

On June 15, 2015, Justice Ministers in the Council reached agreement on a general approach concerning the General Data Protection Regulation (GDPR). This allows the Council to start negotiations with the European Parliament (which formally adopted its compromise text for the GDPR in March 2014) with a view to reaching overall agreement on the GDPR.

The European Commission introduced the draft General Data Protection Regulation (GDPR) in January 2012. The GDPR seeks to harmonize legislation across the EU member states, replacing the 1995 EU Directive and the varying national laws that have implemented this Directive.

The European Parliament formally adopted its compromise text for the proposed GDPR back in March 2014. The Council of Ministers is expected to adopt its general approach to the Regulation during its June 15/16 meetings in Luxembourg. If it does so, the first meeting for the so-called “trilogue” negotiations between the Commission, the Parliament and the Council with a view to agreeing on a final text for the GDPR is scheduled for June 24. It is expected that, if all goes well, these negotiations will continue until the end of the year. Even after that, the new rules will only become effective two years later — so at the earliest by the end of 2017.

As so many stakeholders have been negotiating the draft GDPR for more than three years now, various components of the draft have found a way to reach a larger audience, notably national decision makers.

That is also why, although we may have to wait for quite some time before new EU rules become effective, we are increasingly seeing national legislators introduce the new concepts and obligations themselves, without waiting for the GDPR. This trend is also driven by recent events such as the Snowden revelations and the issues around the Facebook social plug-ins.Continue Reading Data Breaches and Data Protection Enforcement: Netherlands and Belgium Not Waiting for New Data Protection Regulation

This morning, I went to a seminar organized by the Belgian Data Protection Authority during which the new “Belgian Cyber Security Guide” was introduced.

The guide is an initiative from the ICC Belgium, the Federation of Enterprises in Belgium, B-CCentre (Belgian Cybercrime Centre of Excellence for Training, Research & Education), Isaca, E&Y and Microsoft, with the support of the EU Commission.

The President of the Federation of Enterprises in Belgium, who actually took the first step for the drafting of this guide, mentioned in his speech that the guide is such as the result of a demand from Belgian companies for a practical guide on cyber security.

The goal of the guide is to inform the boardroom and higher management about Cyber Security, its key risks and principles and must-do actions.
Continue Reading Belgian Cyber Security Guide

Last week, in In re Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corp., a federal judge lifted the stay of execution of an order requiring Microsoft to turn over content stored on a Microsoft server located in Ireland.  While this development is largely procedural, we have previously discussed the

A federal judge in the Southern District of New York upheld a magistrate judge’s decision that requires Microsoft to turn over to federal prosecutor customer email content stored in an overseas Microsoft data center. Ruling from the bench, Chief Judge Loretta Preska concluded that Microsoft must comply with a U.S. search warrant for customer emails,

We are pleased to announce the publication of a report titled “Data Law Trends & Developments: E-Discovery, Privacy, Cyber-Security & Information Governance.” The report explores recent trends and anticipated future developments on critical issues related to the intersection of technology and the law, which affect a wide range of companies and industries. In addition, the report highlights key cases and issues to watch in 11 areas of data law, including: information governance, cybersecurity, social media, technology-assisted review, criminal law, regulatory, cooperation, privacy, cross border transfers, bring your own device (BYOD), and privilege.
Continue Reading Crowell & Moring Releases “Data Law Trends & Developments” and Announces Expanded “Data Law Insights” Blog