Photo of Courtney M. Bowman

Courtney M. Bowman

Subscribe to Courtney M. Bowman's Posts

In what may prove to be a major step forward in US-EU privacy relations, the House Judicial Committee approved H.R. 1428, the Judicial Redress Act of 2015, on September 16.  If enacted, the bill would allow citizens of “covered countries” to bring civil actions in the US under the Privacy Act of 1974.  In effect, this means that certain foreign nationals would have the same rights US citizens have under the Privacy Act – namely, the right to sue US government agencies in order to access, amend, or correct records the agencies may be keeping about them, or to seek redress for the unlawful disclosure of those records.  (Note that the Privacy Act does not cover private businesses or state and local governments; it only allows individuals to seek records from federal government agencies.) Citizens of the US already have such rights in the EU, so the Judicial Redress Act would provide corresponding rights for EU citizens.

Privacy and data security professionals worldwide should circle September 1 on their calendars, as it’s the day Russia’s new data localization law goes into effect – and possibly generates major waves far beyond Russian shores.  That’s because the law has significant implications for companies that collect personal information from Russian citizens, even if those companies do not have any physical presence within Russia.  This post provides an overview of data localization laws generally, with a special focus on Russia’s law and its potential effects.

In a move that may strike fear into the hearts of mobile phone owners everywhere, the Sixth Circuit recently ruled that a person’s “pocket dials” – those inadvertent calls made from a person’s mobile phone, generally when the phone is in its owner’s pocket, and alternatively referred to as “butt dials” – may not be entitled to an expectation of privacy.

Last week, Australia became the latest country to pass a mandatory data retention law. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which amends Australia’s Telecommunications (Interception and Access) Act 1979, requires telecommunications and Internet service providers (ISPs) to store customer metadata for two years. This means that Australian ISPs and telecom providers will have to store data associated with electronic communications, such as the names and addresses of account holders, the names of the recipients of any communications, the time and duration of communications, the location of equipment used to make the communication (such as cell towers), and computers’ IP addresses. Although the law does not require ISPs and telecoms to store the contents of customers’ electronic communications, metadata still can provide a picture of an individual’s identity, interests, and even location, which makes it of great interest to law enforcement and national security agencies seeking to prevent crime and terrorist attacks. Indeed, the law was promoted as a national security measure designed to give law enforcement access to information that could allow them to prevent terrorist attacks, but its opponents have decried it as a means to subject Australians to mass government surveillance.

With the new year just around the corner, retailers should make a resolution to learn more about EMV technology.  That’s because 2015 is slated to be the year EMV technology makes significant inroads in the United States, and retailers need to be prepared.  In this post, we answer some frequently asked questions about what the introduction of this new standard means for retailers and the steps they must take in order to prepare for the widespread adoption of this new technology.

Over the past decade, the EU has made significant technological and legal strides toward the widespread adoption of electronic identification cards.  An electronic ID card, or e-ID, serves as a form of secure identification for online transactions – in other words, it provides sufficient verification of an individual’s identity to allow that person to electronically sign and submit sensitive documents such as tax returns and voting ballots over the Internet.  Many people see e-IDs as the future of secure identification since they offer the potential to greatly facilitate cardholders’ personal and business transactions, and the EU Commission has recognized this potential by drafting regulations meant to eliminate transactional barriers currently hindering the cards’ cross-border reach.  However, the increasingly widespread use of e-ID systems also gives rise to significant data security concerns.

Last month, a federal district court in the Northern District of California issued an order that may affect the policies of any company that records telephone conversations with consumers.

The trouble began when plaintiff John Lofton began receiving calls from Collecto, Verizon’s third-party collections agency, on his cell phone.  The calls were made in error – Lofton did not owe Verizon any money because he wasn’t even a Verizon customer – but Lofton decided to take action when he discovered that Collecto had been recording its conversations with him without prior notice.  Lofton brought a class action against Verizon under California’s Invasion of Privacy Act, theorizing that Verizon was vicariously responsible for Collecto’s actions because Collecto was Verizon’s third-party vendor and because Verizon’s call-monitoring disclosure policy did not require the disclosure of recordings in certain situations. Verizon filed a motion to dismiss, arguing that the recordings did not invade Lofton’s privacy and therefore did not run afoul of the statute.