Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Looking at Police-Community Relations Through the Lens of Body-Worn Cameras

Posted in United States

As protests have continued across the nation in the wake of back-to-back decisions by grand juries in Missouri and New York not to indict white police officers for their involvement in the deaths of unarmed black citizens, civil rights advocates, along with state leaders and the federal government, are exploring measures to better relationships between law enforcement and communities of color.  Just last week, the Department of Justice released a revised version of its Guidance Regarding the Use of Race by Federal Law Enforcement Agencies.  Yesterday afternoon, President Obama signed an Executive Order to create the Task Force on 21st Century Policing, and following the Michael Brown jury decision, the President proposed a three-year $263 million investment package to increase, among other things, the use of body-worn cameras.

In light of the events leading to Eric Garner’s death, however, which were captured by mobile video in their entirety, there has been skepticism about the efficacy of body-worn cameras in preventing such fatal interactions with the police and also in providing sufficient evidence to juries.  Privacy advocates, along with police officers, have expressed concern about the new technology as well.  On the one hand, body cameras have greater potential to invade privacy if they are used in homes or to film bystanders, suspects, and victims during what can be volatile and extreme encounters.  On the other hand, cameras could reduce police use of force while protecting officers from false accusations of misconduct.  Moreover, cameras could provide vital data used over time to monitor, measure, and improve departments’ institutional practices.  On balance, video cameras on police officers seem to be a good thing with short- and longer-term benefits, but only if they are deployed within a policy framework that prioritizes citizens’ privacy. Continue Reading

Duma Votes to Accelerate Implementation Date of Russian Data Localization Bill By A Year

Posted in International

In July this year, Russia enacted Law 242-FZ (the “Localization Law”).  The Localization Law amends the Russian Federal Law on Information, Information Technology and Information Protection, and would introduce a new requirement for certain businesses (including in particular those processing data concerning Russian citizens and also maintaining offices in Russia) to ensure that personal data relating to Russian citizens be physically stored and processed in Russian territory, subject to certain exceptions.  The exact scope of this requirement and its exceptions — including whether covered data relating to Russian citizens can be “mirrored” in data centers outside Russia or not — remain somewhat unclear at this time.

The Law was scheduled originally to come into effect on 1 September 2016, but on December 17, the Russian State Duma voted to enact a bill to move the implementation date of the Localization Law forwards to 1 September 2015.  This move follows an effort earlier this fall to bring the Localization Law’s implementation date forwards to 1 January 2015, which was ultimately set aside.

The “bring forward” bill will now be reviewed by the Council of the Russian Federation (the upper chamber of the Russian legislative assembly) and Russian President before it is formally enacted.

Canada’s Highest Court Rules That Police Can Search Cell Phone Contents After Arrest

Posted in Canada, International

By Lala Qadir

The Supreme Court of Canada recently issued a 4-3 decision that gave the police a green light in conducting warrantless searches of an arrestee’s cell phone as long as the search is directly related to the suspected crime and records are kept.  Over three dissenting judges that characterized mobile phones as “intensely personal and uniquely pervasive sphere of privacy,” the majority held a balance can be struck that “permits searches of cell phones incident to arrest, provided that the search—both what is searched and how it is searched—is strictly incidental to the arrest and that the police keep detailed notes of what has been searched and why.”

Canada’s high court ruling stands in stark contrast to that of the United States.  Earlier this year, the United States Supreme Court heard argument on two cell phone cases—Riley and Wurie—ultimately holding that warrantless searches of cell phones, even when held incident to an arrest, were unconstitutional unless they were subject to specific exceptions to the Fourth Amendment’s warrant requirement. Continue Reading

The EU’s Highest Court Rules That The EU’s Data Protection Directive Applies To Home Security Surveillance Cameras

Posted in European Union, International

By Fredericka Argent

Last week, the Court of Justice of the European Union (CJEU) ruled that owners of home surveillance cameras could be breaching the EU Data Protection Directive 95/46/EU (the Directive), when those cameras are used to monitor public spaces.  The ruling was made following a request from the Nejvyšší správní soud (The Supreme Administrative Court of the Czech Republic) for interpretive guidance.

According to the facts, Mr Ryneš, from the Czech Republic, had set up a camera to monitor the footpath outside of his home in response to a series of break-ins that he and his family had suffered.  One of the suspects of a break-in was subsequently caught on camera, and the video recording was used as evidence in the criminal proceedings that followed.  However, the suspect separately made a complaint to the Czech Data Protection Office that the surveillance system used by Mr Ryneš was unlawful.  The Czech Data Protection Office agreed. Mr Ryneš then brought an action challenging that decision, which was appealed to the Czech Supreme Court. Continue Reading

Article 29 Working Party Publishes Working Document Setting Out Cooperation Procedure for Issuing Common Opinions on Contractual Clauses

Posted in European Union, International

By Tom Jackson

On November 26, 2014, the Article 29 Working Party adopted a working document setting out a cooperation procedure for issuing common opinions on contractual clauses considered as compliant with the EC Model Clauses (the “Working Document”).  The Working Document sets out the framework for a procedure designed to streamline the process of obtaining the necessary approvals to transfer data outside the EEA.  It introduces the concept of a “Lead DPA,” through whom an applicant company would be able to deal with a range of competent national authorities in order to gain a common opinion on the adequacy of its contractual clauses.

The publication of this Working Document serves as an indication that European data protection authorities recognize that the current system is burdensome and often time-consuming for companies seeking to transfer data outside the EEA.  However, it remains to be seen when, or even if, the procedure proposed by the Working Party will be put into practice. Continue Reading

European Data Protection Regulators Release Joint Statement on European Values

Posted in European Union, International

By Tom Jackson

On November 26, 2014, the Article 29 Working Party released a short joint statement containing a series of declarations on:  (i) “European values”; (ii) “surveillance for security purposes”; and (iii) the “European influence.”  The joint statement emphasizes the balance to be struck between protecting data protection rights and allowing national intelligence agencies to perform their duties, and the fundamental importance of European data protection rights more generally. These affirmations are particularly significant in the context of both the Snowden revelations and the ongoing Transatlantic Trade and Investment Partnership (TTIP) negotiations.

Continue Reading

Congress Passes Five Cybersecurity Bills

Posted in Congress, United States

By Caleb Skeath

Congress approved a package of five cybersecurity bills after a series of votes in the House and Senate this week, increasing the likelihood that some cybersecurity-related legislation will be signed into law by the end of this year. None of the bills address some of the larger, more contentious cybersecurity issues, such as immunity for private companies that share cybersecurity threat information with the federal government. Instead, the bills focus on narrower cybersecurity issues and the structures and procedures of the federal agencies that oversee cybersecurity. Two of the measures, S. 2519 and S. 2521, are primarily focused on centralizing the federal government’s cybersecurity efforts and enhancing information sharing with the private sector, while another, S. 1353, provides for the development of a voluntary set of cybersecurity standards for the private sector. The remaining bills, S. 1691 and H.R. 2592, are focused on strengthening the Department of Homeland Security’s cybersecurity workforce and recruitment efforts. Continue Reading

Financial Industry Regulators Increase Data Security Oversight

Posted in United States

On Wednesday, December 10, 2014, financial industry regulatory and enforcement agencies issued statements that their organizations will increase scrutiny of financial industry cybersecurity practices going forward.

In New York, the State’s Department of Financial Services Superintendent Benjamin Lawsky issued new guidelines to banks, detailing how their cybersecurity practices would be evaluated. The memorandum—sent to all New York chartered or licensed banking institutions—noted that the Department would take a close look at banks’ data breach detection abilities, cybersecurity corporate governance practices, resources devoted to information security, defenses against cyberattacks, management of third-party service providers, and cybersecurity insurance coverage, among other things.

The memorandum further noted that, prior to conducting an examination, the Department intends to request information on 12 information technology- and cybersecurity-related issues, including the qualifications and responsibilities of banks’ Chief Information Security Officers, information security policies, due diligence processes, and software development standards. Continue Reading

Parties Involved in TCPA Fax Litigation May Qualify for Relief

Posted in Federal Communications Commission, United States

The FCC recently agreed to grant limited waivers for violations of its “opt out notice” rule for solicited faxes (i.e., faxes sent with the recipient’s prior express invitation or permission).  That rule requires that senders of faxes include opt-out notices on fax transmissions that contain advertisements or promotions.  The FCC initially promulgated its opt-out notice rule in connection with the Telephone Consumer Protection Act (“TCPA”) and the Junk Fax Prevention Act.  Because the TCPA authorizes a private right of action and statutory damages for certain violations, the opt-out notice rule has been — and continues to be — used to bring class action lawsuits that seek potentially staggering levels of monetary payment.  In its recent ruling, the FCC agreed to issue waivers of its opt-out notice rule for solicited faxes, but the ruling suggests that such requests must be filed before April 30, 2015.

A number of plaintiffs have filed lawsuits challenging the FCC’s grant of the waivers.  At the same time, some of the petitioners also are challenging the portion of the FCC’s order in which the FCC reasserted its authority under the TCPA to regulate solicited fax advertisements.  Both sets of challenges will be heard by the U.S. Court of Appeals for the District of Columbia Circuit.

Have EU Privacy Regulators Just Spelled the End of Web Tracking?

Posted in European Union, International

On November 25, 2014, the Article 29 Working Party (“WP29”) issued an opinion paper on device fingerprinting (the “Opinion”).  The Opinion builds on existing guidance on cookies (Opinion 04/2012) and confirms that organizations wishing to generate “device fingerprints” by storing or accessing information on a user’s device must obtain user consent (unless an exemption applies).  This is because Article 5(3) of the European e-Privacy Directive 2002/58/EC, known as the “cookie rule”, also applies to device fingerprints.  The real-life impact of the new Opinion on technology businesses is difficult to predict at this stage, but the WP29’s motivation is clear — it aims to prevent companies from using device fingerprinting technology for data analytics or tracking purposes as an alternative to cookies and without the need to obtain consent under Article 5(3).

Continue Reading