Transnational Discovery

The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) turned one year old on May 25th. European data protection regulators celebrated by continuing to work through a rising number of complaints and infractions, and by stepping up their monitoring for violations. US companies are directly in the crosshairs. Whether based in the EU or not, a company is potentially subject to the GDPR (and its stiff fines up to 4% of annual global revenue) if it offers goods or services to data subjects located in the EU, or monitors individuals’ online behavior or personal information in the EU. This means that a US company engaged in the common business practice of collecting data from its EU customers must assess and implement business practices to ensure GDPR compliance.

The US and EU engaged in approximately $1.3 trillion dollars in trade last year. With that level of economic activity, and accompanying data flows, many US companies should already have in place the basic structures for GDPR compliance. However, recent surveys suggest that a significant number of companies impacted by the GDPR are still grappling with compliance. In a recent Forrester Research study, “Security Through Simplicity,” over half of the responding IT decision-makers revealed that their companies had not yet carried out even basic GDPR compliance steps such as vetting third-party vendors, hiring data protection officers, training employees, setting up mechanisms for the “72-hour data breach notification” requirement, and collecting evidence and documenting efforts to address GDPR compliance risks. Further, only about 4,650 US companies are currently registered and self-certified with the EU-US Privacy Shield framework (compared to the over 100,000 mid- to large-sized companies in the US, according to business census data). Such certification goes a long way toward permitting a US company to receive certain EU data in a GDPR compliant manner.


Continue Reading

“Pokémon Go” Developer feels the heat over data collection; 2nd Circuit Ruling limits government’s access to data stored overseas; 9th Circuit CFAA Ruling increases Facebook’s control over its Users’ Data; Dutch Study reveals tension between EU Trade Deals and Data Protection

“Pokémon Go” Developer in Hot Water over Extensive Data Collection Practices

In early July, mobile game developer Niantic released “Pokémon Go,” a free-to-download “augmented reality” game for Android and iOS devices. In less than a week, the game had been downloaded by more than 15 million unique users, making the game’s launch one of the most widely-adopted in history. Privacy advocates soon raised serious questions about the game and its accompanying privacy policy, which until July 12 granted full access to users’ Google account data unless users opted-out of such permissions—prompting Niantic to issue its first update resolving the permissions issue.

On July 12, Senator Al Franken (D-MN) sent a letter to Niantic CEO John Hanke demanding the company explain in detail the types of data Niantic collects from players, why that data “in necessary for the provision or improvement of services,” and how the company plans to use the data gathered. Franken’s letter also questioned the company’s opt-out data collection practices, suggesting that “Niantic consider making this collection/access opt-in.”  Franken, who serves as the Ranking Member on the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law, has in the past spoken out against similar practices by other mobile app developers, including Uber and Lyft. Mr. Hanke has until August 12 to respond to Sen. Franken’s questions.


Continue Reading

The Second Circuit today issued a much-anticipated ruling holding that U.S. firms are not required to turn over user data stored overseas, even in the face of a government warrant.  This decision arose from Microsoft’s December 2014 appeal of a civil contempt ruling against the tech giant for refusing to turn over the personal data

On June 15, 2015, Justice Ministers in the Council reached agreement on a general approach concerning the General Data Protection Regulation (GDPR). This allows the Council to start negotiations with the European Parliament (which formally adopted its compromise text for the GDPR in March 2014) with a view to reaching overall agreement on the GDPR.

The European Commission introduced the draft General Data Protection Regulation (GDPR) in January 2012. The GDPR seeks to harmonize legislation across the EU member states, replacing the 1995 EU Directive and the varying national laws that have implemented this Directive.

The European Parliament formally adopted its compromise text for the proposed GDPR back in March 2014. The Council of Ministers is expected to adopt its general approach to the Regulation during its June 15/16 meetings in Luxembourg. If it does so, the first meeting for the so-called “trilogue” negotiations between the Commission, the Parliament and the Council with a view to agreeing on a final text for the GDPR is scheduled for June 24. It is expected that, if all goes well, these negotiations will continue until the end of the year. Even after that, the new rules will only become effective two years later — so at the earliest by the end of 2017.

As so many stakeholders have been negotiating the draft GDPR for more than three years now, various components of the draft have found a way to reach a larger audience, notably national decision makers.

That is also why, although we may have to wait for quite some time before new EU rules become effective, we are increasingly seeing national legislators introduce the new concepts and obligations themselves, without waiting for the GDPR. This trend is also driven by recent events such as the Snowden revelations and the issues around the Facebook social plug-ins.


Continue Reading

This morning, I went to a seminar organized by the Belgian Data Protection Authority during which the new “Belgian Cyber Security Guide” was introduced.

The guide is an initiative from the ICC Belgium, the Federation of Enterprises in Belgium, B-CCentre (Belgian Cybercrime Centre of Excellence for Training, Research & Education), Isaca, E&Y and Microsoft, with the support of the EU Commission.

The President of the Federation of Enterprises in Belgium, who actually took the first step for the drafting of this guide, mentioned in his speech that the guide is such as the result of a demand from Belgian companies for a practical guide on cyber security.

The goal of the guide is to inform the boardroom and higher management about Cyber Security, its key risks and principles and must-do actions.
Continue Reading

Last week, in In re Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corp., a federal judge lifted the stay of execution of an order requiring Microsoft to turn over content stored on a Microsoft server located in Ireland.  While this development is largely procedural, we have previously discussed the

A federal judge in the Southern District of New York upheld a magistrate judge’s decision that requires Microsoft to turn over to federal prosecutor customer email content stored in an overseas Microsoft data center. Ruling from the bench, Chief Judge Loretta Preska concluded that Microsoft must comply with a U.S. search warrant for customer emails,

We are pleased to announce the publication of a report titled “Data Law Trends & Developments: E-Discovery, Privacy, Cyber-Security & Information Governance.” The report explores recent trends and anticipated future developments on critical issues related to the intersection of technology and the law, which affect a wide range of companies and industries. In addition, the report highlights key cases and issues to watch in 11 areas of data law, including: information governance, cybersecurity, social media, technology-assisted review, criminal law, regulatory, cooperation, privacy, cross border transfers, bring your own device (BYOD), and privilege.
Continue Reading

The July 2000 Safe Harbor agreement between the United States and Europe concerning cross-border data flows is one of the key regulatory structures governing how organizations can collect, store, move, and use the massive amount of personal data generated in our interconnected world. Fourteen years after its inception, the agreement is under increasing strain from the rapid pace of technological innovation, high-profile breaches of consumer data, and the continued fallout from the Edward Snowden revelations. The EU and U.S. are in the process of updating the original agreement to reflect these new concerns. The implications for organization data operations and privacy policies could be significant, creating new regulatory structures and demanding new procedures and safeguards.
Continue Reading