The U.S. President and European Commission President announced in a joint press statement on March 25th, 2022 that an agreement “in principle” has been reached on a new Trans-Atlantic Data Privacy Framework (Privacy Shield Agreement 2.0). Once approved and implemented, the agreement would facilitate the transatlantic flow of personal data and provide an alternative data transfer mechanism (in addition to EU Standard Contractual Clauses and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S. This is a welcome announcement for companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision in July 2020, which invalidated the EU-U.S. Privacy Shield 1.0 for international transfers of personal data.
*This article originally appeared in L.A. Biz at bizjournals.com on Oct. 11, 2016.
Over the past few months, Taylor Swift and Kanye West’s feud over a recorded phone call has put the California Invasion of Privacy Act (CIPA) in the spotlight.
Who can record a call? What type of consent is needed? These questions are not just fodder for celebrity tabloids but fundamentally important issues for companies recording customer service calls.
CIPA, codified in California’s Penal Code Section 630 et seq., is an invasion of privacy statute originally designed to restrict wire-tapping and the recording of calls snatched from the airways at the dawn of the wireless telephone industry.
However, in recent years, plaintiffs’ lawyers have embraced Section 632.7 of the Act as a sword to attack companies that record customer service calls.
In a milestone decision on transatlantic data protection, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems case, declaring the Commission decision on the EU-U.S. Safe Harbor agreement invalid. The CJEU declared that such a decision requires a finding that the level of protection of fundamental rights and freedoms in the laws and practices of the third country is “essentially equivalent” to that guaranteed within the EU. Given the CJEU’s decision, the Commission and data protection authorities are now called upon to examine the legal order in the U.S. and compare its level of protection to that within the EU.
This report provides a roadmap and resource for this comparison. Following the analysis laid out by the CJEU in Schrems, it shows how privacy values deeply embedded in U.S. law and practice have resulted in a system of protection of fundamental rights and freedoms that meets the test of essential equivalency.
The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014. NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context. After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down. On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.” The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”
From Military to Civilian Use
Traditionally, it was militaries that developed, then deployed unmanned aerial vehicles (drones) for combat roles or intelligence-gathering missions. The use of drone technology in the recreational space, and a projected spike in the commercial exploitation of drones, have caught the attention of Hong Kong and Singapore’s regulators. The ongoing privacy debate about how best to regulate presently under-regulated commercial drone use is expected to intensify. Actual or prospective commercial drone operators are advised to monitor what is expected to be an evolving aviation and privacy regulatory environment in two of the Asia Pacific’s key commercial centers.
California has been experiencing a wave of putative class actions under the California Invasion of Privacy Act (“CIPA”). A decision this week by a federal court judge in California could halt new case filings and lay the groundwork for the dismissal of pending actions.
The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).
According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”
A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).
The European Commission has released a comprehensive package of communications, reports and papers that set out actions which the Commission believes can restore trust in transatlantic data flows between the European Union and the United States following recent concerns over access to data by intelligence agencies.