Originally posted by the Council on Foreign Relations Net Politics Blog on October 8, 2015.
In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen.
The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States.
Today the European Court of Justice (“ECJ”) issued its judgment in the Max Schrems case in which it declared the European Commission’s decision on Safe Harbor as invalid. The Commission’s decision in 2000 found that companies participating in the US Department of Commerce Safe Harbor framework were operating under an “adequate” data protection regime and could thus rely on the Safe Harbor as a permissible basis to transfer personal information from the EU to the US. The judgment comes less than two weeks after the publication of the opinion from Advocate General Bot in which he advised that national Data Protection Authorities (“DPAs”) must be able to investigate an individual request to suspend data flows to the US by a company certified under the Safe Harbor scheme, and in which he also found the Safe Harbor scheme to be invalid.
In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.
On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.
One year after the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) received royal assent on 17 July 2014, the English High Court issued a landmark judgment in David & Ors v Secretary of State for the Home Department  EWHC 2092 (Admin) declaring DRIPA to be unlawful.
An already active TCPA class action bar is sure to become even more active after a significant Declaratory Ruling and Order from the FCC that, among other points, broadened what technologies may be considered autodialers, gave further strength to class actions based on reassigned cell numbers, and muddied the waters for constructing compliance mechanisms to support consumer revocation of consent.
On July 10, 2015, the Federal Communications Commission issued a declaratory ruling to resolve various concerns raised by 21 petitions regarding the Commission’s implementation of the Telephone Consumer Protection Act, which carries a $500 penalty for each call or text in violation.
On May 26, 2015, Judge Lucy Koh in the Northern District of California granted class certification to plaintiffs in In re Yahoo Mail Litigation, Case No. 13-CV-04980-LHK (N.D. Cal. May 26, 2015) (“Yahoo”). This ruling will likely have an effect on how class action claims are alleged and could impact email providers’ policies and procedures pertaining to email scanning and user consent. In particular, companies may wish to review the impact of their privacy disclosures and consent framework to non-subscribers who may interact with users who have consented to the companies’ policies.
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.
On May 4, 2015, an intermediate appellate court in California held that the Song-Beverly Credit Card Act of 1971 (Song-Beverly), Cal. Civil Code § 1747.08, does not apply to online transactions involving the sale of merchandise that the buyer chooses to pick up at a retail store.