International

Subscribe to International via RSS

In what may prove to be a major step forward in US-EU privacy relations, the House Judicial Committee approved H.R. 1428, the Judicial Redress Act of 2015, on September 16.  If enacted, the bill would allow citizens of “covered countries” to bring civil actions in the US under the Privacy Act of 1974.  In effect, this means that certain foreign nationals would have the same rights US citizens have under the Privacy Act – namely, the right to sue US government agencies in order to access, amend, or correct records the agencies may be keeping about them, or to seek redress for the unlawful disclosure of those records.  (Note that the Privacy Act does not cover private businesses or state and local governments; it only allows individuals to seek records from federal government agencies.) Citizens of the US already have such rights in the EU, so the Judicial Redress Act would provide corresponding rights for EU citizens.

Privacy and data security professionals worldwide should circle September 1 on their calendars, as it’s the day Russia’s new data localization law goes into effect – and possibly generates major waves far beyond Russian shores.  That’s because the law has significant implications for companies that collect personal information from Russian citizens, even if those companies do not have any physical presence within Russia.  This post provides an overview of data localization laws generally, with a special focus on Russia’s law and its potential effects.

Last week, Australia became the latest country to pass a mandatory data retention law. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which amends Australia’s Telecommunications (Interception and Access) Act 1979, requires telecommunications and Internet service providers (ISPs) to store customer metadata for two years. This means that Australian ISPs and telecom providers will have to store data associated with electronic communications, such as the names and addresses of account holders, the names of the recipients of any communications, the time and duration of communications, the location of equipment used to make the communication (such as cell towers), and computers’ IP addresses. Although the law does not require ISPs and telecoms to store the contents of customers’ electronic communications, metadata still can provide a picture of an individual’s identity, interests, and even location, which makes it of great interest to law enforcement and national security agencies seeking to prevent crime and terrorist attacks. Indeed, the law was promoted as a national security measure designed to give law enforcement access to information that could allow them to prevent terrorist attacks, but its opponents have decried it as a means to subject Australians to mass government surveillance.

The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe Harbor for the transfer of user data in what many see as an important test case; this lawsuit will be the topic of a future blog post.

On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.

To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent.

A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google France.

In a summary proceeding on September 16, 2014, the Paris Tribunal (Tribunal de Grande Instance) held that Google must erase from its search engine, under penalty of €1,000 per day, all links leading to defamatory content published on Facebook (see attached judgement: TGI Paris – Ordonnance du 16 septembre 2014).

In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software giant presented its case in the Southern District of New York where it was dealt another loss.