In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens.  In light of its non-binding nature, the opinion did not effect any legal change and the ECJ is free to reject or adopt its recommendations.  Nevertheless, the opinion has triggered widespread concerns about the future of the Safe Harbor, due in part to the frequency with which the ECJ follows the recommendations of its advisors.

In what may prove to be a major step forward in US-EU privacy relations, the House Judicial Committee approved H.R. 1428, the Judicial Redress Act of 2015, on September 16.  If enacted, the bill would allow citizens of “covered countries” to bring civil actions in the US under the Privacy Act of 1974.  In effect, this means that certain foreign nationals would have the same rights US citizens have under the Privacy Act – namely, the right to sue US government agencies in order to access, amend, or correct records the agencies may be keeping about them, or to seek redress for the unlawful disclosure of those records.  (Note that the Privacy Act does not cover private businesses or state and local governments; it only allows individuals to seek records from federal government agencies.) Citizens of the US already have such rights in the EU, so the Judicial Redress Act would provide corresponding rights for EU citizens.

Privacy and data security professionals worldwide should circle September 1 on their calendars, as it’s the day Russia’s new data localization law goes into effect – and possibly generates major waves far beyond Russian shores.  That’s because the law has significant implications for companies that collect personal information from Russian citizens, even if those companies do not have any physical presence within Russia.  This post provides an overview of data localization laws generally, with a special focus on Russia’s law and its potential effects.

In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide.

We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that control personal data about them (“data controllers”) to delete all such data and abstain from further disseminating it. A data controller is required to act on an individual’s request to delete their personal data without delay unless they have a legitimate reason for not doing so. A series of European Court rulings established that search engines such as Google qualify as “data controllers,” and that search engines can be required to “delist” links to content as a means of preventing that content from being disseminated. Most surprising however, is the suggestion in these rulings that Google can be required to delist links from all Google domains, not just from domains in the E.U. or in specific E.U. countries. 

In a move that may strike fear into the hearts of mobile phone owners everywhere, the Sixth Circuit recently ruled that a person’s “pocket dials” – those inadvertent calls made from a person’s mobile phone, generally when the phone is in its owner’s pocket, and alternatively referred to as “butt dials” – may not be entitled to an expectation of privacy.