On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland. Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data. Since the ruling, many have expressed surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, much as it shouldn’t come as a surprise that many other countries’ governments provide the exact same authority.
The dust has yet to settle but much has already been said about the implications of the Google Spain decision by the Court of Justice of the European Union and the right to be forgotten. The controversy has focused on the impact of this judgment on freedom of expression and the right of access to information, as well as the potentially devastating effect of a large amount of deletion requests. EU regulators are wondering – like everybody else – how big and unmanageable this is going to get, whilst search engines scramble for resources to deal with the unknown. With the prospect of an even more demanding EU privacy framework looming over the horizon, the right to be forgotten decision is a potential game changer for the whole Internet industry. But the CJEU did not just enable an unprecedented level of control by individuals over their data, it shook the basis on which the applicability of EU data protection law has been understood until now.
In a recent client alert, Hogan Lovells partners from the firm’s London and Washington, D.C. offices highlighted key takeaways for businesses following the European Data Protection Supervisor’s Workshop on Privacy, Consumers, Competition, and Big Data. The workshop, hosted by EDPS in the European Parliament in Brussels on 2 June 2014, discussed the technological advances and market for ‘big data’ analytics and the policy implications for the fields of data protection, competition and consumer protection of the rapidly expanding digital economy in the EU and in other regions, particularly the in US. Around 70 experts attended, including representatives from the European regulators and the US Federal Trade Commission.
Two developments in Russian law this summer could significantly limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first is the advancement of legislation requiring data operators to store locally in Russia information of Russian citizens. The second is the countdown to the effective date of new rules that impose onerous registration, content, and censorship requirements on certain website operators and electronic communication services. We address each here in turn.
Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.
The French data protection authority has announced that following the “cookie sweep day” due to take place the week commencing 15 September 2014, it will launch a program of website audits in October to verify compliance with the CNIL’s 5 December 2013 cookie recommendations.
On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid.
In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice, including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.
The German Federal Labor Court has published its reasoning underlying a June 2013 decision in which it declared invalid the dismissal by a large supermarket of an employee who was found in possession of stolen goods. According to the Court, the factual evidence leading to the dismissal—obtained upon inspection of the employee’s workplace locker without the presence of the employee—was gathered in violation of the employee’s right to privacy established by the German Federal Data Protection Act. The ruling represents a shift in case law regarding employee data privacy were German courts are likely to exclude from civil law proceedings information collected in violation of statutory data privacy requirements. Companies operating in Germany should be aware of these requirements in order to avoid losing lawsuits as a consequence of non-compliance with strict local data privacy rules.
The “one-stop-shop” EU data protection regulator was originally presented as one of the fundamental pillars of the future Data Protection Regulation, but now hangs in the balance of the EU legislative process. This post provides the latest on the status of one-stop-shop in the Council of the EU, where it currently is being debated.
In an Op-Ed for the National Post entitled “Sorry, but there’s no online ‘right to be forgotten’,” privacy advocates Ann Cavoukian and Christopher Wolf team up to consider the consequences of the European Court of Justice’s “Right to Be Forgotten” ruling. The pair focus on potential conflicts created by the Right to Be Forgotten between the right to privacy and that of free expression and highlight the plausible outcome that companies, in their new forced role as online censors, may “err on the side of deleting links to information.”
In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations, the State Department confirmed that a company could use a data security method called “tokenization” to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took “sufficient means” to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing.
Canada’s new anti-spam law was passed in December 2010, and certain provisions will become effective 1 July 2014 — including new consent requirements for e-mails and certain other electronic messages. As of 1 July 2014, an organization must have consent to send commercial electronic messages to an email account, telephone account or instant messaging account. In addition, CEMs must include certain identification information and an unsubscribe mechanism. The law applies to messages whenever a computer system located in Canada is used to send or access the CEM. Certain exemptions and transition periods also apply.
Whilst the reform of the EU data protection framework continues its tortuous course in Brussels’ corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one is not always obvious—each case is different, and limited resources and time constraints often add an unwelcome degree of stress and complexity to the process.
The Chairman of the French National Assembly, Claude Bartolone, announced June 11 the creation of a parliamentary commission on digital rights, whose task will be among other things to define guidelines for evaluating legislative proposals affecting digital rights. France’s new Digital Rights Commission consists of 13 members of Parliament and 13 outside experts. Among the outside experts is Hogan Lovell’s partner Winston Maxwell, known for his work on net neutrality and data privacy.
The discussion at the Council of the EU in the context of the European data protection legislative reform that took place on 6 June is by no means the end of a process which is likely to carry on for at least a year, but it provided a helpful pointer as to where the policy making thinking is. One of the biggest challenges that organisations operating in the EU have faced since the 1990s is the prohibition on transfers of data to jurisdictions outside the EU without equivalent standards of data protection. The ongoing legislative reform is an opportunity to review the existing regime and bring it into line with today’s data globalisation.
Vodafone’s publication last Friday of its first Law Enforcement Disclosure Report attracted global press attention and comment. The report provides detailed insight into the legal frameworks, governance principles and operating procedures associated with responding to demands for assistance from law enforcement and intelligence agencies in 29 countries in which Vodafone operates.
Three weeks after the FTC’s seminar on Consumer Generated and Controlled Health Data, the French data protection authority, the CNIL, held its own workshop on connected health and wellness devices. This blog post summarizes the results of the CNIL workshop.
A recent article by Hogan Lovells provides key takeaways for businesses in light of last week’s landmark ruling by the European Court of Justice that in effect judicially sanctioned a “right to be forgotten” allowing data subjects to scrub their names from a public record while also extending jurisdiction under European data protection law to include non-EU companies that may have a branch or subsidiary in the European Union and that collect data in the context of business activities in the European Union.
Internet service providers, social media websites, search engines, and other online companies hosting user-generated content that do business in Brazil or collect information online from Brazilian consumers should be aware of the “Marco Civil da Internet,” or Brazilian Internet Law, that takes effect 23 June 2014. As detailed in an alert published by attorneys from the Hogan Lovells Washington, D.C., São Paulo, and Rio de Janeiro offices, While Brazil still does not have a comprehensive privacy law, the Brazilian Internet Law contains privacy requirements that broadly restrict these companies from the sharing of users’ personal information, their communications, and certain online logging data. Covered companies will, however, be required to retain Web logs for a period of time and protect the user-related information they hold.
The Article 29 Working Party’s new opinion on anonymization techniques provides a useful primer on randomization and generalization (i.e., data aggregation) techniques used to anonymize data sets. The opinion analyzes each technique based on three ways that data can be re-identified: the ability to single out individuals after the anonymization technique has been applied; the linkability of the anonymized data sets to other data sets; and finally the ability of the data sets to resist inference attacks after application of the anonymization technique. Organizations depending on anonymization for compliance with the Data Protection Directive would be well advised to review their anonymization processes to determine if they comport with the standards set out in the opinion.
In a decision rendered on 8 April 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid. The Court’s decision was grounded on its conclusion that, by requiring the retention of the data falling within the scope of the Directive, and by allowing the competent national authorities to access those data, the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.