Originally posted by the U.S. Chamber Foundation, Sept. 22, 2015, as part of a series of articles relating to the Internet of Everything project. Read more at uschamberfoundation.org/ioe.
The reverberations throughout global markets of China’s economic slowdown and stock market fall remind us once again how much the world’s major economies depend on each other.
Nowhere is this more true than between the European Union and the United States, the world’s two largest economic entities. Together, they account for one-half of the world’s GDP and about one-third of its trade flows. So the United States has a significant stake in the success of the European Commission’s Digital Single Market Strategy. Its promise of economic growth for Europe will help to lift the American economy as well, and Americans share the Commission’s vision of information and communications technology as “the foundation of all modern innovative economic systems.” Read More
In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.
The Practising Legal Institute has published “Cybersecurity: A Practical Guide to the Law of Cyber Risk,” a treatise edited by Ed McNicholas and Vivek Mohan of Sidley Austin LLP. This “Sidley on Cybersecurity” treatise sets out in a clear and readable manner the complex legal framework for cybersecurity in the United States. We hope that it will be a practical legal guide for in-house attorneys, IT leaders, senior executives, and corporate directors concerned about cybersecurity risk.
The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014. NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context. After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down. On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.” The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.
On February 26, 2015, the Federal Communications Commission (FCC) passed the Open Internet Order to reclassify “broadband Internet access service” as a telecommunication service under Title II of the Communications Act of 1934. In doing so, the FCC found that applying section 222 of the Communications Act to broadband Internet access services is in the public interest and necessary for the protection of customers. Section 222 imposes a duty on telecommunications carriers to protect the confidentiality of proprietary information obtained from their customers or other carriers, and imposes special rules for use and disclosure of information related to customers’ phone service and usage, known as customer proprietary network information (“CPNI”).
Data Protection Law & Policy
In the last few years, privacy has evolved to become a topic of concern for more and more people. Recent studies have also shown that people have stopped using a particular product or service because they were worried about how it used their personal data. However, what is less clear is whether this is a concern for all generations or does the common perception that young people do not care about their privacy hold some element of truth? William Long, Geraldine Scali and Francesca Blythe, Partner, Senior Associate and Associate respectively at Sidley Austin LLP, explore this question.
During the opening session of any new Congress, the House of Representatives sets the rules that will govern hearings, floor proceedings and debate. Typically, rule changes are minor. This year, the House quietly made one important change that could significantly affect institutions that are subject to government inquiries.
The first edition of The Privacy, Data Protection and Cybersecurity Law Review appears at a time of extraordinary policy change and practical challenge for this field of law and regulation. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.
Editor’s Preface, Alan Charles Raul
- Chapter 1, “European Union Overview,” William Long, Geraldine Scali and Alan Charles Raul
- Chapter 2, “APEC Overview,” Catherine Valerio Barrad and Alan Charles Raul
- Chapter 9, “Hong Kong,” Yuet Ming Tham and Joanne Mok
- Chapter 12, “Japan,” Takahiro Nonaka
- Chapter 16, “Singapore,” Yuet Ming Tham, Ijin Tan and Teena Zhang
- Chapter 20, “United Kingdom,” William Long and Geraldine Scali
- Chapter 21, “United States,” Alan Charles Raul, Tasha D Manoranjan and Vivek Mohan
A recent judgment of the highest court in the European Union announced that search engines within the court’s jurisdiction must respond to “right to be forgotten” requests. This authoritative interpretation of the existing data protection laws may create significant issues for Internet intermediaries and exacerbate the differences between the European privacy-based “right to be forgotten” and the United States’ free-speech based “right to remember.” This judgment will have a significant impact not only on search engine companies and publishers, but also on many other industries, including financial services and life sciences, that need to maintain data on individuals for legitimate business reasons, often for lengthy periods.