Data Privacy Laws

Subscribe to Data Privacy Laws via RSS

The average American today generates more media than they did at any other point in history, and the ease with which our communications, photos, and videos are sent and stored digitally means most of us have more media stored in the cloud or on a single digital device than previous generations would have created in an entire lifetime. However, even as the amount of media we create and store has increased, the laws governing its search and seizure have failed to keep up. Under federal law and the laws of most states, the same information may be subject to different levels of protection from government authorities depending on whether that information is in the form of an e-mail stored in the cloud or a letter stored in a desk drawer.

California is attempting to change that equation. On October 8, 2015, Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA, SB 178), a sweeping bill

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.

Results from the SEC’s First Round of Cybersecurity Examinations. On February 3, 2015, the OCIE published a risk alert summarizing its findings from its examinations of over 100 registered investment advisers and broker-dealers. The examinations were conducted as part of the OCIE’s cybersecurity examination initiative, announced in April 2014, to assess cybersecurity preparedness in the securities industry and gather information on common practices and trends among registered firms. The OCIE interviewed key personnel and reviewed documents at 49 registered investment advisers and 57 registered broker-dealers. The OCIE’s findings focused on how registered investment advisers and broker-dealers:

  • Identify cybersecurity risks;
  • Establish cybersecurity policies, procedures and oversight processes;
  • Protect their networks and information;
  • Identify and address risks associated with remote access to client information, funds transfer requests and third-party vendors; and
  • Detect and handle unauthorized activities and other cyber-attacks.

Since the Article 29 Working Party on the Protection of Individuals (“WP29”) announced last week that it would it shortly issue a statement on the landmark CJEU ruling invalidating the Safe Harbor Decision (Schrems v. Data Protection Commissioner (C-362- 14)), we have been awaiting their guidance.  Today, the WP29 issued an important statement offering some clarity to companies that, amid the fallout from the decision, have been pondering the question of “What’s next?”

Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued

In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens.  In light of its non-binding nature, the opinion did not effect any legal change and the ECJ is free to reject or adopt its recommendations.  Nevertheless, the opinion has triggered widespread concerns about the future of the Safe Harbor, due in part to the frequency with which the ECJ follows the recommendations of its advisors.

In what may prove to be a major step forward in US-EU privacy relations, the House Judicial Committee approved H.R. 1428, the Judicial Redress Act of 2015, on September 16.  If enacted, the bill would allow citizens of “covered countries” to bring civil actions in the US under the Privacy Act of 1974.  In effect, this means that certain foreign nationals would have the same rights US citizens have under the Privacy Act – namely, the right to sue US government agencies in order to access, amend, or correct records the agencies may be keeping about them, or to seek redress for the unlawful disclosure of those records.  (Note that the Privacy Act does not cover private businesses or state and local governments; it only allows individuals to seek records from federal government agencies.) Citizens of the US already have such rights in the EU, so the Judicial Redress Act would provide corresponding rights for EU citizens.