Data Privacy

EU-U.S. Privacy Shield – Its Origins and the High Bar It Must Meet

To predict the Privacy Shield’s future, it’s helpful to recall its origins and to understand the high bar it must meet – namely, ensuring “an adequate level of protection” under the Data Protection Directive.

As to its origins, because the Commission had not recognized the United States as having adequate protection, in 2000 the EU and the U.S. were forced to come up with mechanisms to enable companies to continue to transfer personal data from the EU to the U.S. The Safe Harbor framework, blessed by the Commission in an adequacy decision (“Safe Harbor Decision”), was one of the mechanisms agreed upon between the EU and the U.S.

Under the Safe Harbor framework, U.S. companies were able to self-certify through the DOC that they adhered to the privacy principles set forth in the Safe Harbor Decision. Before being invalidated in 2015, more than 4,000 U.S. businesses, including Facebook, had self-certified under the framework.  Significantly, as

EU-U.S. Privacy Shield – What’s Its Future?

It’s been almost one year since the EU-U.S. Privacy Shield (Privacy Shield) came into existence.  Its upcoming annual review in September by the European Commission (Commission) and the U.S. Department of Commerce (DOC) – its first such review – is being viewed by many as a pivotal test for the framework.  Success will boost confidence in the Privacy Shield’s durability, a vulnerability often cited by its critics. Even if it passes, however, the Privacy Shield is likely to continue to face challenges going forward.

Thus, for U.S. companies presently considering self-certification, the timing is right to ask the question whether the Privacy Shield is here to stay, and if so, how it might change going forward. To answer these questions, I think we need to recall the Privacy Shield’s origins and the context in which it arose, as well as fully understand its requirements and what compliance entails.

At the same time, it also is important for U.S. companies to consider the

Internet Privacy – ISP Snooping and U.S. Surveillance Laws

It’s hard to imagine a world in which the U.S. Postal Service is permitted to peer inside our personal mail, or gather and track the address and other data we place on our mail, and then use and sell what it learns about us.

Yet, when it comes to our web browsing activities and electronic communications, isn’t that what Internet Service Providers (ISPs) are now lawfully able to do as a result of the U.S. government’s recent action overturning the FCC’s privacy rules?

The Electronic Communications Privacy Act (ECPA) puts some privacy limits on what ISPs can do. But the question is, are they sufficient based on what we know today?  Let’s look at some of those privacy limits, and you be the judge.

The ECPA, enacted in 1986, long before anyone knew about the Internet, e-mail, and the vast array of other new technologies that we use today, is the primary federal surveillance law applicable to

Internet Privacy – What the U.S. Can Learn from the European Union

With respect to Internet privacy, as a result of recent U.S. government action, Americans now have less protection and are more at risk of government surveillance and potential misuse of their personal information, as compared with citizens of the European Union (EU).

By overturning the FCC’s privacy regulations and stripping the FCC’s authority to implement similar privacy regulations in the future, the U.S. government has created an enormous Internet privacy regulatory void. As a result of such action, there now appear to be no federal regulatory limitations on the types of personal information Internet Service Providers (ISPs) can collect, use and disclose regarding the Internet activities of their subscribers, nor any obligations imposed on ISPs with respect to data retention, data protection or breach notification.

This regulatory void in the U.S. contrasts sharply with EU law, which generally prohibits ISPs from using or disclosing any personal information without the opt-in consent of their subscribers. Under the EU’s new General

Filling the Void in Internet Privacy: Time to Turn to the Courts (Again)

Now that the U.S. government has overturned the FCC’s privacy regulations, are courts more likely to step in to protect the Internet privacy rights of individuals?

More specifically, how will courts respond when an Internet Service Provider (ISP) divulges to law enforcement the content and details of a subscriber’s Internet activity without obtaining a search warrant, despite law enforcement having complied with the judicial process set forth in the Electronic Communications Privacy Act (ECPA), in particular, the Stored Communications Act (SCA). Will courts require a search warrant even though the SCA does not require one?

If the past is any indication, I anticipate that an increasing number of federal and state courts, when faced with this question, will find that individuals have a “reasonable expectation of privacy” in the content and details of their Internet activity and that they will prohibit the government from obtaining warrantless access to such information under applicable constitutional law. The constitutional law could

U.S. Government’s Assault on Internet Privacy – Where Do We Go From Here?

The U.S. government’s action this week overturning the FCC’s recently passed privacy regulations and stripping the FCC’s authority to implement similar privacy regulations in the future, whether one agrees or disagrees with it, raises more questions than answers, and its long term implications are potentially far reaching and not very well understood.  Indeed, by shining a light on the issue, the government’s action will undoubtedly unleash a torrent of efforts by politicians, legislators, regulators, judges, technologists and others to find ways to improve the Internet privacy protection of U.S. citizens.

At the very least, the government’s decision may well mark the death knell for the Fourth Amendment’s much-criticized third party doctrine, judicial support for which has been slowly eroding with the advance of technology and the Internet. See, e.g., the concurring opinions of Justices Sotomayor and Alito in U.S. v. Jones, 132 S. Ct. 945 (2012).

The government’s decision creates an enormous void in Internet privacy regulation which is bound