On November 23, 2016, the Court of Justice of the European Union (CJEU) set aside a judgment by the lower General Court which could have set a dangerous precedent for the protection of business secrets and confidential business information (CBI) in environmental cases in the European Union. *
The U.S. Court of Appeals for the Eleventh Circuit has ordered the FTC to halt enforcement of its data security order against LabMD while LabMD challenges the action.
To recap the events leading up to this stay, a data security company allegedly obtained sensitive data from LabMD via a peer-to-peer file-sharing program. Allegedly, after LabMD refused to purchase the company’s security products, it reported the alleged data security vulnerability to the FTC. The FTC accused LabMD of unfair practices in failing to provide reasonable and appropriate security for customers’ personal information, which was allegedly likely to cause harm to customers. In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to prove LabMD’s practices were likely to cause substantial customer injury. In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision. Although LabMD stopped operating in 2014, the FTC nevertheless ordered LabMD to implement several information security compliance measures because the Lab still maintains medical records. LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order.
Last week, we posted a brief account of the two challenges that have been filed in the General Court of the Court of Justice of the European Union challenging the Privacy Shield, first by Digital Rights Ireland in September and then by La Quadrature du Net last Monday. Today, the Official Journal of the European Union published notice of the Digital Rights Ireland pleading, the first time it has been publicly available.
This posting means the clock has started running on applications to intervene. Applications to intervene are due in 60 days, or January 6, 2016. To establish a right to intervene, an application must include a statement of the circumstances showing “an interest in the result” of the case.
Two legal challenges have been filed at the Court of Justice of the European Union (“CJEU”) against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. Privacy Shield was adopted on July 12, 2016 after the CJEU struck down the earlier Safe Harbour agreement in October 2015 over concerns about U.S. surveillance techniques.
The European Commission has drafted amendments to the adequacy decisions that underpin the European Union’s Standard Contractual Clauses (“SCCs”) that allow businesses to transfer personal data originating in the European Economic Area (“EEA”) outside of the EEA. While the Commission has not published the full text of its proposals, they may have a significant practical impact on all businesses that rely on SCCs for international data transfers, including to the United States.
*This article originally appeared in L.A. Biz at bizjournals.com on Oct. 11, 2016.
Over the past few months, Taylor Swift and Kanye West’s feud over a recorded phone call has put the California Invasion of Privacy Act (CIPA) in the spotlight.
Who can record a call? What type of consent is needed? These questions are not just fodder for celebrity tabloids but fundamentally important issues for companies recording customer service calls.
CIPA, codified in California’s Penal Code Section 630 et seq., is an invasion of privacy statute originally designed to restrict wire-tapping and the recording of calls snatched from the airways at the dawn of the wireless telephone industry.
However, in recent years, plaintiffs’ lawyers have embraced Section 632.7 of the Act as a sword to attack companies that record customer service calls.
*Updated on September 8, 2016
*This article originally appeared in Law360 on August 1, 2016.
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a long-awaited decision that — to the surprise of many observers — rejected the government’s construction of the Stored Communications Act and instead embraced a more restrictive view that Microsoft Corp. had advanced, backed by much of the tech industry and many privacy groups. The decision holds that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions — not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, entirely by using computers and personnel based here in the United States. Microsoft Corp. v. USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985).
The Article 29 Working Party, on July 26, 2016 issued a statement on the final form of the EU-US Privacy Shield, which was formally adopted on July 12, 2016. Speaking at a press conference, Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated that the EU data protection authorities would not launch legal action of their own initiative in the next year but instead will wait until after the first annual review: “the first joint review will be a time in which we will make an evaluation of the Privacy Shield and also a time where additional propositions could be made … we want to be provided with additional clarification, additional evidence, possibly changes in the legislation.” (more…)