Transnational Discovery

The July 2000 Safe Harbor agreement between the United States and Europe concerning cross-border data flows is one of the key regulatory structures governing how organizations can collect, store, move, and use the massive amount of personal data generated in our interconnected world. Fourteen years after its inception, the agreement is under increasing strain from the rapid pace of technological innovation, high-profile breaches of consumer data, and the continued fallout from the Edward Snowden revelations. The EU and U.S. are in the process of updating the original agreement to reflect these new concerns. The implications for organization data operations and privacy policies could be significant, creating new regulatory structures and demanding new procedures and safeguards.
Continue Reading What You Should Know About the Changing U.S.-EU Safe Harbor Agreement

In a remarkable decision addressing the reach of search warrants aimed at personal data stored by a third party in the cloud, a court ruled last week that an internet service provider (“ISP”) can be compelled to produce personal information located outside of the U.S. The decision by Magistrate Judge James Francis (S.D.N.Y.) denied Microsoft Corporation’s motion to quash a warrant requiring production of customer email content and related data stored on a server located in Dublin, Ireland. If adopted by other courts, the ruling could have far-reaching implications not only in the context of overseas cloud storage, but the privacy of personal data stored on third- party servers generally.

The specific issue addressed by the court concerns application of the infamously antiquated Stored Communications Act (“SCA”) of 1986, which allows the U.S. government to obtain information by subpoena, court order, or warrant from third parties such as ISPs. On December 4, 2013, the court approved the government’s request for a SCA search warrant to Microsoft seeking virtually all content and data associated with a particular email account. Microsoft produced all relevant information stored on its domestic servers, but moved to quash the warrant to the extent it sought information stored at its datacenter located in Dublin, arguing that U.S. courts are not authorized to issue extraterritorial search warrants. Notably, it is not clear from the decision whether the owner of the subject email account is a U.S. resident.
Continue Reading Court Holds That U.S. Government Can Seize Email Data Stored Overseas and Questions Applicability of Fourth Amendment to “Information Communicated Through the Internet”

On March 27, 2014, the EU Court of Justice (CJEU) ruled in the UPC Telekabel Wien-case that national courts may impose website blocking orders to internet access providers (IAPs) requiring them to prevent their subscribers from accessing a website containing copyright infringing material, without specifying the concrete blocking measures to be taken. The Court also emphasized that the measures taken by the IAPs must strike a fair balance between all fundamental rights involved. The IAPs may find themselves in the unenviable position of having to determine the adequacy and proportionality of the blocking measures to be taken. This risks leading to additional litigation regarding the measures taken to implement website blocking orders.
Continue Reading EU Court of Justice Issues New Ruling on Website-Blocking Orders

With initial approval in the European Parliament civil liberties committee (the so-called LIBE Committee), the EU is moving ahead with overhauling its existing 15-year-old Data Protection Directive, replacing it with the General Data Protection Regulation (GDPR). The European Commission introduced the draft GDPR in January 2012 and seeks to harmonize regulations across the 28 member-states, replacing varying national laws with a single, consistent regulation on data handling and individual rights.

This new regime could fundamentally change the privacy and data transfer practices of every large company operating in Europe or offering goods or services to data subjects in Europe, the flows of data within financial services and other firms, and the business practices underlying internet products, cloud computing, or social networks offered to European consumers.
Continue Reading EU Data Protection Rules Might Transform the Internet

In January 2012, the European Commission published its proposal for a general Regulation on data protection, which would apply directly in all EU Member States (see our newsletters from February 28, 2012, July 12, 2012, and January 22, 2013). The new Regulation should replace the current Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the various national laws implementing this Directive.

The Commission’s proposal meanwhile has been extensively discussed within the European Parliament and the Council, thousands of suggested amendments to the original text have been made and lobbyists and interest groups are working overtime.
Continue Reading Will We Have a New EU Data Protection Regulation in 2014?

On June 24, 2013, the European Commission (EC) issued new rules requiring telecom operators and Internet Service Providers (ISPs) to provide data breach notification to regulators within 24 hours of detection. In the U.S., the Department of Health and Human Services (HHS) issued a proposed rule on June 19, 2013 that would require certain entities to report privacy and security incidents within one hour of discovery. Although these are hardly the only two examples where immediate notification is required, these developments highlight the recent trend by regulators to require breach reporting more quickly.
Continue Reading No Time to Waste: Data Breach Notification Required NOW

For more than a year, the United States and the European Union have been engaged in negotiations over a data protection framework covering trans-Atlantic law enforcement cooperation. Last week, U.S. Attorney General Eric Holder and EU Vice-President Viviane Reding met in Washington to discuss that and other topics. Both expressed optimism in a joint press release issued after the meeting, but it remains to be seen whether the enormous gap between U.S. and EU notions of data privacy can be bridged through such an agreement.

In the EU, the privacy of one’s personal data is a fundamental civil right, whereas in the U.S. such privacy considerations are routinely subordinated in the context of law enforcement investigations and prosecutions. The EU’s stringent data protection rules have thus become a recurring sticking point in joint law enforcement efforts between the two governments because the U.S. has been unable to guarantee an “adequate” level of protection for data transfers as far as the EU is concerned.
Continue Reading U.S.-EU Framework Agreement on Data Protection in Law Enforcement Investigations Inches Forward

If you are alleged to have bribed government agents outside the United States or pirated music and movies protected by the Copyright Act, then you may find yourself sitting in a federal court in Richmond, Virginia. Why? Various government agency servers are located in that court’s jurisdiction and evidence of your criminal activities may have passed through government servers or private servers located in that region.

As covered in my previous post, Cloud Computing, Social Media, and Other Internet-Based Data Transmissions Could Give Rise to Personal Jurisdiction in Distant Forums, the physical journey of internet transmissions has become a more prominent aspect of courts’ personal jurisdiction analyses, which has inevitably led to more lawsuits, both civil and criminal, involving foreign nationals. That previous post discussed a Canadian citizen being hailed to the District of Connecticut for possible trade secret violations on the basis that she accessed her former firm’s server in order to transfer documents. Another recent case from the Southern District of New York involved the Foreign Corrupt Practices Act (FCPA) and permitted the Securities Exchange Commission (SEC) to pursue its enforcement action against three Hungarian executives based upon the passage of emails through SEC servers in the US. See SEC v. Straub, No. 1:11-cv-09645 (S.D.N.Y., February 8, 2013).
Continue Reading The Internet Flows Through…Virginia: Federal Prosecutors Use Server Location to Extend Their Reach

Apps on mobile devices collect large quantities of data from the device and process these (i) in order to provide services to the end-user, but also (ii) for other purposes that are often unknown or unwanted by the end-user. Many of the data processed, such as location data, contact data, unique device and customer identifiers, credit card and payment data, browsing history, pictures, videos, etc., are personal data under EU data protection laws.

The various parties involved in the development and commercialization of mobile apps (or other mobile applications) are often unaware of their obligations under data protection law. These parties include app developers, app owners, app stores, operating system and device manufacturers and other third parties that may be involved in the collection and processing of personal data from smart devices.
Continue Reading Apps on Smart Devices and Data Protection: February 27, 2013 Opinion of the Article 29 Working Party Provides Valuable Guidance

Earlier this month, a U.S. District Court judge for the Southern District of New York (S.D.N.Y.) ruled that the Federal Trade Commission (FTC) could serve foreign defendants located in India through Facebook messages, as long as the defendants were also served by email. Judge Paul Engelmayer’s order appears to be the first in the U.S. to allow any service through Facebook and the court’s reasoning may have opened the door for judges to allow service on foreign parties through social media. However, that door may be only slightly ajar.

In Federal Trade Commission v. PCCare247 Inc., No. 12 Civ. 7189 (PAE) (S.D.N.Y. March 7, 2013), the court emphasized several important facts before endorsing service by social media:

(1) in September 2012, the FTC made good-faith efforts to serve the Summons and the Complaint using Federal Express, a process server, and the traditional procedures under the Federal Rules of Civil Procedure 4(f)(1) and the Hague Convention, but as of March 2013, the Indian Central Authority had not effectuated service or responded to inquiries;

(2) the FTC’s motion to use email and Facebook was limited to serving documents other than the Summons and the Complaint; and

(3) the defendants had received actual notice of the case.
Continue Reading Federal Judge Approves FTC’s Request to Serve Foreign Defendants Through Facebook