FTC Launches Review of Its Email Marketing Rule

Today the FTC announced that it is undertaking a review of its CAN-SPAM Rule, which sets out the requirements for sending commercial e-mail messages.  Among other things, the CAN-SPAM Rule requires that senders of commercial e-mails provide recipients a mechanism to opt out of receiving commercial e-mails, honor opt-out requests within 10 business days, and include specific disclosures in the body of the commercial messages.

The review is part of the FTC’s standard process of reviewing its rules and industry guides on a 10-year schedule to ensure that they remain relevant and are not unduly burdensome.  The goal of these reviews typically is to determine whether rule modifications are needed to address public concerns or changed conditions, or to reduce undue regulatory burden.

Consistent with these goals, the FTC specifically is asking for comments on the following topics:

  • The economic impact and benefits of the CAN-SPAM Rule;
  • Possible conflict between the CAN-SPAM Rule and state, local, or other federal laws or regulations (note that the CAN-SPAM statute preempts state commercial e-mail laws, except to the extent they prohibit “falsity or deception”); and
  • The effect any technological, economic, or other industry changes have had on the CAN-SPAM Rule.

Unlike some other FTC rules and guides that are grounded in the FTC’s general authority to prohibit unfair and deceptive practices under Section 5 of the FTC Act, the CAN-SPAM Rule implements requirements contained in the CAN-SPAM statute.  Consequently, while there are certain aspects of the CAN-SPAM Rule that the FTC can modify, the statutory requirements cannot be changed without congressional amendment.

Written comments are due on August 31, 2017.

FTC Staff Publish COPPA Guidance for Businesses

The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).

The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet.  The FTC’s 2013 revisions to the COPPA Rule greatly expanded the scope of the COPPA Rule by broadening the definition of “personal information” in two ways.  First, the definition now includes persistent identifiers, such as device IDs and IP addresses.  Second, the definition now covers audio, video, and image files of children.  Internet-connected toys and devices often collect persistent identifiers and voice or video information in order to function.  (Importantly, there are a number of other elements that must be met for COPPA to apply, and various exceptions that permit the collection of some types of information.)

The guidance does not, however, break new ground on COPPA’s substantive requirements.  For example, the two new parental consent methods that the guidance references — requiring a parent to answer a series of knowledge-based” challenge questions and using facial recognition technology to compare the parent’s selfie and driver’s license — were approved by the FTC in 2013 and 2015, respectively.

As a result, the guidance misses an opportunity to address, for example, best practices to de-identify voice data or to confirm that other verifiable parental consent methods (such as a parent’s informed purchase of a connected toy) should be sufficient under COPPA.


Chinese Authorities Release Catalog of Network and Cybersecurity Products Subject to Pre-Sale Inspection

On June 9, 2017, the Cyberspace Administration of China (“CAC”), together with three other agencies, released a Catalog of Critical Network Equipment and Network Security Products (First Batch) (“the Catalog,” original Chinese version available here).  It specifies network products that must be certified before they can be marketed in China.

China’s Cybersecurity Law (see our series of blog posts on the Law here) requires certain “critical network equipment and network security products” to go through a certification process before being marketed in China.  This is a separate requirement from the procurement-related cybersecurity review, which mandates a cybersecurity review of network products or services procured by operators of Critical Information Infrastructure, if such procurement potentially affects China’s national security (discussed here).

Also since 1997, “computer information system security products,” which are defined to include “hardware and software designed to protect information system security,” have had to pass a technical review by the Ministry of Public Security (“MPS”) before they can be marketed in China.  The Cybersecurity Law seeks to consolidate the existing review requirements and agencies are required to issue a comprehensive catalog of approved products.  It is uncertain, however, whether the scope of “critical network equipment and network security products” is more expensive than “computer information system security products.”

The Catalog specifies that “critical network equipment and network security products” must be certified or tested by qualified institutions before being sold or provided in China.  Qualified institutions include institutions jointly confirmed by the Certification and Accreditation Administration, the Ministry of Industry and Information Technology, the MPS and the CAC.

The CAC specified that this is the first “batch” of equipment and products to be covered in a such a catalog, so more are expected to be announced in the future.

The Catalog includes:

  Categories of Equipment or Products Scope
Critical Network Equipment 1. Router Throughput of the Whole System (Bi-direction) ≥ 12 Tbps

Routing Table Capacity of the Whole System ≥ 550,000 pieces

2. Switch Throughput of the Whole System ≥ 30 Tbps

Packet Forwarding Rate of the Whole System ≥ 10 Gpps

3. Server (Rack) Number of CPUs ≥ 8

Number of Cores of a Single CPU ≥ 14

Memory Capacity ≥ 256 GB

4. Programmable Logic Controller (PLC Equipment) Controller Instruction Execution Time ≤ 0.08 ms
Network Security Products 5. Data Backup All-in-one Machine Backup Capacity ≥ 20 TB

Backup Speed ≥ 60 MB/s

Backup Interval ≤ 1 hour

6. Firewall (Hardware) Throughput of the Whole Machine ≥ 80 Gbps

Maximum Concurrent Connections ≥ 3,000,000

New Connections Per Second ≥ 250,000

7. WEB Application Firewall (WAF) Application Throughput of the Whole Machine ≥ 6 Gbps

Maximum HTTP Concurrent Connections ≥ 2,000,000

8. Intrusion Detection System (IDS) Full Detection Rate ≥ 15 Gbps

Maximum Concurrent Connections ≥ 5,000,000

9. Intrusion Prevention System (IPS) Full Detection Rate ≥ 20 Gbps

Maximum Concurrent Connections ≥ 5,000,000

10. Security Isolation and Information Prevention Product (GAP) Throughput ≥ 1 Gbps

System Delay ≤ 5 ms

11. Anti-spam Product Connections Processing Rate (connections/second) > 100

Average Delay Time < 100 ms

12. Network Comprehensive Auditing System Packet Capture Speed≥5 Gbps

Incidents Recording Capacity ≥ 50,000/s

13. Network Vulnerability Scanning Product Maximum Concurrent IP Scanning Amount ≥ 60
14. Secure Database System TPC-E tpsE (Trading Volume Per Second) ≥ 4500
15. Network Recovery Product Recovery Time ≤ 2 ms

The Longest Path of the Site ≥ 10 levels


Three Weeks On: What We Know about The Enforcement of China’s Cybersecurity Law – Part 3

Part 3 of this three-part entry discusses a separate, but equally important, legal development in China’s data protection environment.

On May 8, 2017, the Supreme People’s Court and the Supreme People’s Procuratorate issued an interpretation of criminal law regarding infringement of citizens’ personal information (the “Interpretation”).  The Interpretation examines the provision in China’s Criminal Law, which prohibits illegal provision of personal information, as well as illegally obtaining personal information through theft or other means.

The Interpretation defines “personal information” generally as “various types of information, whether recorded by electronic or other means, that can be used separately or in combination with other information to identify a natural person.” This definition is largely consistent with the definition in the Cybersecurity Law, but it also adds an individual’s financial records and location information to the enumerated list of personal information.

Under the Criminal Law or the Interpretation, the illegal provision of personal information includes the provision of personal information to a specific person or company or to disclose such information online or via other means.  Even if the personal information is lawfully collected, if the data subject does not consent to the provision, the conduct may lead to serious criminal penalties for both the company and the responsible individual(s), if a company is involved in the crime. This clause does not apply if the data has been de-identified such that identification of a natural person is not possible.

Obtaining personal information unlawfully refers to the situations where a company or an individual obtains citizens’ personal information by purchasing, accepting, exchanging, or collecting the information during the process of performing one’s duties or providing services in violation of “relevant rules and regulations.”  Collecting personal information without consent is thus viewed as a crime.

Individuals or companies that commit the offense under “serious circumstances” are subject to imprisonment for up to three years and/or a fine. “Serious circumstances” include but are not limited to those in which:

  • the personal information (especially a person’s location information) is used for crime;
  • the defendant illegally obtains, sells, or provides personal information above a specified threshold amount;
  • the illegal income is over RMB 5,000; or
  • the defendant commits the offense within two years of a prior offense.

Individuals or companies that commit this offense under “particularly serious circumstances” are subject to imprisonment of three to seven years and a fine. “Particularly serious circumstances” include but are not limited to those:

  • causing death or serious injury; or
  • causing significant economic loss or adverse social effects.


Click here to return to Part 1 or Part 2 of this three-part post on the landscape surrounding China’s Cybersecurity Law.

Three Weeks On: What We Know about The Enforcement of China’s Cybersecurity Law – Part 2

Part 1 of this post clarified which parts of China’s latest Cybersecurity Law (the “Law”) are currently ready to be enforced and which parts are awaiting clarification in the form of implementing regulations or standards. In this post, we will discuss latest landscape of implementing regulations and national standards that supplement the Law.


Implementing Regulations

The following implementing regulations are legally binding. They provide specifics on how provisions of the Law will be applied in practice.


Finalized: Cybersecurity Review of Network Products and Services

The Measures on the Security Review of Network Products and Services (Trial) (the “Security Review Measures”) offer guidance on how cybersecurity reviews of operators of Critical Information Infrastructure (“CII”) will be conducted. Specifically, the Security Review Measures elaborate on the review’s scope, substantive criteria, responsible agencies, and process (for more detail, see Covington’s alert here).

The Security Review Measures provide that procurement of “important network products and services” related to network and information systems that implicate China’s national security will be subject to the cybersecurity review. Specifically, network products and services supplied to the following entities may be subject to the review process if the procurement will affect China’s national security:

  • Entities in key sectors such as telecommunication and information services, energy, transportation, water conservation, finance, utilities and e-government; and
  • Other operators of CII.

Further, the Security Review Measures establish a Cybersecurity Review Commission, which will be responsible for shaping policies regarding the review and addressing key cybersecurity issues. Under the Commission, a Cybersecurity Review Office will handle the actual cybersecurity reviews with assistance from third party evaluation centers, which will produce technical evaluation reports, and an expert panel, which will provide recommendations based on their assessment of security risks on the basis of the third party reports.

According to a news report, the Head Engineer of the China Information Technology Security Certification Center (“CNITSEC”) (one of the third-party evaluation centers designated to conduct the cybersecurity review on the Government’s behalf) explained that the security review may be triggered in one of three ways: (1) the relevant sector regulators deem the security review on certain product or service to be necessary; (2) a nationwide industry association suggests conducting the security review; or (3) the market’s response (including the public and users) demands the security review.

In conducting the review, agencies will focus on whether the products and services and the related supply chain are “secure and controllable.”  Risk criteria that agencies will assess include:

  • Security risks inherent in the products or services themselves, as well as the risk that the products or services will be unlawfully controlled, interfered with, or interrupted;
  • Supply chain security risks associated with all stages of the life cycle of products and key components (i.e., manufacturing, testing, delivery, and technical support);
  • The risks associated with products or services being used by their suppliers to illegally collect, store, process, or use users’ data;
  • The risks that product or service providers could negatively impact cybersecurity or consumers’ rights and interests by leveraging customers’ reliance on the products or services. (The final version removes the reference to “unfair competitive practices”); and
  • Other risks that may compromise national security.


Yet to be Finalized: Cross-Border Data Transfers

The Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (the draft “Transfer Measures”) have not yet been finalized, but have gone through a public comment period. The draft Transfer Measures specify when a security assessment must be conducted for a network operator’s cross-border data transfers and what substantive criteria will be used (for more detail, see Covington’s alert here).

The draft Transfer Measures extend certain cross-border transfer obligations to “network operators,” a much broader term than “CII operators.” “Network operator” is defined to include “owners and managers of networks, as well as network service providers.” The draft Transfer Measures provide that when network operators transfer abroad personal information and important data collected or generated in the course of operations within China, a security assessment should be conducted.

Regulators will review these assessments under certain circumstances.  For example, regulators may initiate their review when personal information of over 500,000 Chinese citizens is transferred offshore or when the regulator views the transfers as “potentially affecting China’s national security and public interests.”

In the latest version of the Measures, the Cyberspace Administration of China (“CAC”) has given network operators a grace period of 18 months to comply with the requirements for cross-border data transfers. Therefore, all network operators’ cross-border data transfers must be in compliance with the Transfer Measures starting from December 31, 2018.  The CAC also explained that China’s National Information Security Standardization Technical Committee (“NISSTC”) will release supplementing national standards to provide more guidance to companies on how to conduct a security assessment for their cross border data flows.


Yet to be Finalized: Sectorial Regulations

In addition to regulations of general applicability, China has released a series of cybersecurity rules that cover entities in certain sectors.  Some of these regulations have effects that go beyond those covered entities.

For example, in February 2017, the Civil Aviation Administration of China (“CAAC”) proposed Rules for the Administration of Civil Aviation Cyber Information Security (Draft for Comment) (“CAAC Rules”). Although the CAAC Rules govern covered entities (e.g., domestic aviation entities under CAAC’s direct supervision), they also apply more broadly to entities that access networks and systems of those covered entities.

In May 2017, the China Securities Regulatory Commission (“CSRC”) proposed Measures for Securities and Fund Institutions on Information Technology Management (Draft for Comment) (“CSRC Measures”). Similar to the CAAC Rules, while the CSRC Measures’ substantive obligations are largely intended for covered entities within the financial industry, some provisions also apply more broadly to “information technology service providers” serving the covered entities.

These developments make clear that providers of network equipment and companies that interface with covered entities in these and other sectors cannot ignore sectoral regulations in China. Even though a network equipment provider may not be the primary covered entity, sectoral regulations such as these may impact providers of technology and other services nonetheless.


National Standards

China’s NISSTC, a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the CAC, has released draft national standards that supplement the Cybersecurity Law. While these standards are not legally binding, they will likely serve as reference points for the CAC and other regulators when enforcing the Law.


Yet to be Finalized: Protection of Personal Information

The Information Security Technology – Personal Information Security Specification (the draft “Personal Information Standard”) will likely be used to judge corporate data protection practices in China. While the public comment period has ended, the draft Personal Information Standard has not yet been finalized.

As far as personal information is concerned, the draft Personal Information Standard is more comprehensive in scope than the Cybersecurity Law.  It is comparable to modern data protection rules and standards in other countries, such as the EU’s General Data Protection Regulation (“GDPR”), EU-U.S. Privacy Shield, as well as relevant ISO/IEC, NIST, and CWA standards.

The draft Personal Information Standard’s definition of “personal information” mostly parallels the term’s definition in the Law, namely “various types of electronic or otherwise recorded information that can be used separately or in combination with other information to identify a natural person.” But the draft Personal Information Standard explicitly includes a natural person’s biological identification data, geographical location data, and behavior data within the scope.

Further, the draft Personal Information Standard treats differently “sensitive” personal information, defined as “personal information that may lead to bodily harm, property damage, reputational harm, personal health, or discriminatory treatment of a person if such information is disclosed, leaked or abused.” Examples of sensitive personal information include a person’s National Identification Number, bank information, medical records, and biological identification information.

The draft Personal Information Standard also sets out eight substantive principles of personal information protection, which are meant to parallel international norms.  For example, it contemplates that the primary legal basis for processing personal data in China is consent (it does not provide for other legal bases such as, as in the EU, “legitimate interests”).  As in some other jurisdictions, it contemplates that data subjects have a right to delete their personal information.  It also expects that organizations will adhere to principles of data minimization.  (For more details, see our previous post).


Yet to be Finalized: Security Assessment of Cross-Border Data Transfers

On May 27, 2017, the NISSTC released Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft Version) (the draft “Transfer Standard”) for public comments. The comment period is open until June 27, 2017. The draft Transfer Standard supplements the draft Transfer Measures discussed above.

The draft Transfer Standard, elaborating on the substantive criteria mentioned in the draft Transfer Measures, details the risk factors regulators are likely to analyze when reviewing or conducting security assessments of companies’ cross-border data transfers flowing out of China.

As a threshold matter, the regulator determines whether the transfers at issue are “lawful and legitimate.” Transfers for a genuine business purpose should generally meet this threshold. If this bar is met, regulators are instructed to evaluate security risks associated with transfers focusing on four elements: data being transferred, data controllers’ data protection program, data recipients’ level of protection, and the “political and legal environment” of the country or region in which the data recipient is located.

Based on these risk factors, regulators can determine the overall risk level of the data transfers. If these assessments reveal major risks, regulators may require a company to step up its data protection efforts, or such transfers may be blocked entirely. Once a company conducts a self-security assessment, the record of such an assessment must be retained for at least five years. For more details, see our previous post.

Click here to proceed to Part 3 of this post.

Three Weeks On: What We Know about The Enforcement of China’s Cybersecurity Law – Part 1

On June 1, 2017, China’s new Cybersecurity Law (the “Law”) finally went into effect. It is the first Chinese law that systematically lays out the regulatory requirements on data privacy and cybersecurity, subjecting to government scrutiny many activities in cyberspace that were previously unregulated or addressed in a sector-by-sector fashion.

Three weeks after the Law took effect, we examine the latest developments in this three-part post.  This post (Part 1) will clarify which key features of the Law are ready to be enforced immediately and which provisions are still awaiting clarification in the form of implementing regulations or standards.  Part 2 will elaborate on the implementing regulations and national standards that have developed in conjunction with the Law to date.  Part 3 will examine a judicial interpretation related to the interpretation of China’s Criminal Law, which also took effect on June 1 and bears on the misuse and sale of personal data.

Enforced Immediately: General Data Privacy and Cybersecurity Obligations of “Network Operators”

The Law imposes various data privacy and cybersecurity obligations on “network operators” (broadly defined to include “owners and managers of networks, as well as network service providers”).  These general obligations are expected to be enforced immediately.

Key obligations for network operators include:

Data Privacy Obligations Cybersecurity Obligations
  • Implement adequate access controls (Art. 40)
  • Provide notice and obtain consent when collecting or using personal information of Chinese citizens; do not collect personal information if it is not necessary for the services provided (Art. 41)
  • Do not disclose, tamper with, or damage citizens’ personal information that have been collected; do not provide citizens’ personal information to others without consent unless the information is sufficiently anonymized (Art. 42)
  • Delete unlawfully collected personal information and amend incorrect information (Art. 43)
  • Implement data security programs according to national standards (Art. 10)
  • Safeguard networks against disruption, damage or unauthorized access, and prevent data leakage, theft, or tampering (Art. 21)
  • Formulate incident response plans and react to security risks in a timely manner; adopt remedial measures and notify authorities in case of breach (Art. 25)
  • Provide technical support and assistance to authorities in matters relating to national security or criminal investigations (Art. 28)


Enforced Immediately: Cybersecurity Review of Network Products and Services

Providers of network products and services that may affect China’s national security will also be affected immediately.  Article 35 of the Law requires operators of Critical Information Infrastructure (“CII”) to ensure that any procured network products and services that may affect national security pass a “national security review.”

The Cyberspace Administration of China (“CAC”) has finalized the Measures on the Security Review of Network Products and Services (Trial) (“the Security Review Measures”) on May 2, 2017, which offer guidance on how mandated cybersecurity reviews will be conducted.  While the Measures have already gone into effect (on the same day as the Cybersecurity Law), they still lack clarity regarding the substantive criteria and procedures that will be applied during the review process.

Despite some ambiguity in how the review will be conducted, suppliers of network products and services may be subject to these reviews if the procurement at issue has the potential to affect China’s national security.  Thus, those suppliers should be mindful of security risks running through their supply chain.  More detail on these Security Review Measures will follow in Part 2.

Enforced Immediately: Pre-Sale Certification of Critical Network Equipment and Network Security Products

Article 23 of the Law requires certain  “Critical Network Equipment and Network Security Products” to a certification process before being sold or provided in China.  This is separate from the security review process of network products and services procured by operators of Critical Information Infrastructure (CII).  On June 9, 2017, the CAC, together with three other agencies, released the Catalog of Critical Network Equipment and Network Security Products (First Batch) that will be subject to such a certification process.  For more detail, see Covington’s post on this development here.

Awaiting Clarification: Protection of Critical Information Infrastructure (CII)

The Law imposes the most stringent cybersecurity rules on CII operators and their suppliers. For example, in addition to the general obligations applicable to all network operators, Article 34 of the Law imposes on CII operators specific security protection obligations.  These include, among other items, designating departments/personnel responsible for security management, conducting security training, backing up important systems and data, and formulating incident response plans that should be practiced regularly.  However, the Law contemplates that the specific scope these and other requirements on the protection of CII will be specified by implementing regulations.  These regulations have not yet been released.

Awaiting Clarification: Cross-Border Data Transfer

Article 37 of the Law expressly requires that operators of CII store within China “citizens’ personal information and important data” collected or generated in the course of operations within the country. If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise specified by laws and regulations.

The CAC has issued and received public comment on a draft implementing regulation for this requirement—the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (the draft “Transfer Measures”). Importantly, the draft Transfer Measures extend certain cross-border transfer obligations to “network operators,” a much broader term than “CII operators.”  These obligations include conducting a security assessment before transferring personal information and important data offshore.

The CAC has delayed the issuance of the final version of the Transfer Measures for unknown reasons. In any event, in the latest version of the Transfer Measures, the CAC has given “network operators” a grace period of 18 months to comply with the requirements for cross-border data transfers. All network operators’ cross-border data transfers must be in compliance with the Measures starting from December 31, 2018.  More detail on the Transfer Measures will follow in Part 2.

Click here to proceed to Part 2 of this post.

Senate, House, and FTC Seek to Steer the Course of Self-Driving Vehicles

Members of Congress are gearing up for national laws on autonomous vehicles. Last week in the Senate, John Thune (R-S.D.), Gary Peter (D-Mich.), and Bill Nelson (D-Fla.) released a list of principles for bipartisan legislation in advance of a hearing they convened on June 14, 2017, entitled “Paving the Way for Self-Driving Vehicles.”  In the House of Representatives, a subcommittee of the House Energy and Commerce Committee circulated discussion drafts of fourteen bills that also address autonomous vehicles.  Although the legislative efforts in both houses are still in early stages, they underscore the federal government’s interest in driving the decisions about how to prioritize safety while also fostering innovation in automated technologies.

Indeed, the Senators released a set of principles that they said they designed to address both safety and advancements in technology.  More specifically, their principles aim to guide national legislation to do the following:

  • Prioritize setting federal safety standards that address new technologies;
  • Reduce “roadblocks” to innovation by eliminating existing rules that are incompatible with new technologies and that prevent the development of life-saving features;
  • Maintain neutrality with respect to emerging technologies, so as not to favor the business models of some developers over others;
  • Reinforce the separate roles that state and federal legislators have had in regulating cars, while also allowing flexibility for changes in that relationship due to new technologies;
  • Require cybersecurity to “be an integral feature of” automated vehicles so that potential vulnerabilities do not compromise safety; and
  • Encourage collaboration between the government and industry to provide public education on the differences between conventional and self-driving vehicles.

The Senators released these principles on June 13, one day before the Senate Committee on Commerce, Science, and Transportation held the hearing on self-driving cars. During that hearing, Senators and industry members discussed the content of the principles, particularly with respect to hurdles for testing and deployment, as well as the federal and state roles.  There is no set timeline for developing draft legislation, but the Senators have suggested that they may release the text by August of this year.

On the House side, the Digital Commerce and Consumer Protection Subcommittee has already drafted bills that address many of the same issues presented by the Senate. On June 15, 2017, the Subcommittee circulated the drafts.

Legislators, however, are not the only ones in Washington gearing up to address self-driving vehicles this month. The Federal Trade Commission and the National Highway Traffic Safety Administration will hold a workshop on June 28, 2017, to examine the consumer privacy and security issues posed by automated and connected vehicles.  The final agenda, which the FTC has just released, is available here.

We will continue to monitor developments both on and off the Hill relating to the regulation of self-driving vehicles.


EU Data Protection Authorities Urge European Commission to Ensure Rigor in First Annual Privacy Shield Review

The Article 29 Working Party (“WP29”), a group consisting of representatives from each European data protection authority, the European Data Protection Supervisor, and the European Commission, yesterday issued a press release detailing its recommendations for the first Annual Joint Review of the EU-U.S. Privacy Shield (“Privacy Shield”), which will take place in September 2017.  Specifically, the June 13 press release announced that WP29 had adopted a letter to send to the European Commission with its views and questions regarding U.S. fact-finding on commercial matters, law enforcement, and national security.  According to the WP29, answers to these questions will be crucial to “ensur[ing] that the US authorities are able to constructively answer concerns on the concrete enforcement of the Privacy Shield decision.”

The WP29 emphasized in its press release the need to assess the “robustness and effectiveness of the Privacy Shield mechanism,” which the EU and U.S. jointly adopted in July 2016 to provide a framework for cross-border data transfers.  The WP29’s current concerns echo points that the group has previously raised and also reflect developments in the current U.S. administration.

  • Regarding the commercial part of the U.S. fact-finding for the annual review, the WP29 expressed concerns over the legal guarantees that exist around automated decision making, the existence of guidance on the application of the Privacy Shield from the U.S. Department of Commerce, and clarifications on definitions, specifically including “human resources data.” The WP29’s list is non-exhaustive.
  • With respect to the law enforcement and national security part, the WP29 stressed its need to obtain information related to “the latest developments of US law and jurisprudence in the field of privacy.” In particular, the group stated it seeks “precise evidence to show that bulk collection, when it exists, is ‘as tailored as feasible.’” The WP29 also raised questions about Privacy Shield oversight, including the nomination of four members of the Privacy and Civil Liberties Oversight Board (“PCLOB”), as well as questions regarding the appointment of the Ombudsperson and the mechanisms governing that position.

The WP29 further used the press release to announce that it has been “intensely preparing” for the annual review, and it shared recommendations regarding participants, the length of the review, and the WP29’s ability to publish its own report.

The WP29’s letter comes in the wake of larger questions about the implementation of the Privacy Shield on both sides of the Atlantic. With more 2,000 organizations listed as self-certified under the framework, the first annual review will provide an important opportunity to shape the future of cross-border data transfers across many industries.  We will continue to monitor developments relating to the Privacy Shield and the first annual review.


U.S. Supreme Court to Consider Whether the Fourth Amendment Protects Cell-Location Data

By Lauren Moxley

Today, the Supreme Court granted certiorari in Carpenter v. United States, a case addressing Americans’ privacy rights in cell phone tracking data. The Court will consider whether a warrantless search and seizure of cell phone records revealing the location and movements of a cell phone user over the course of several months is permitted by the Fourth Amendment. The case raises number of critical questions with respect to Fourth Amendment protections for location data in the digital age, which we have discussed here, here, here, and here.

The case stems from a criminal investigation in Detroit in 2011, where the government acted without a warrant in obtaining 127 days’ worth of cell phone location records for two suspects. The government obtained the data under the Stored Communications Act, 18 U.S.C. §§ 2703(c)(1)(B), (d), which requires a showing of reasonable suspicion and not probable cause. For one suspect, the records revealed 12,898 points of location data; for another, 23,034 location points. Both suspects were convicted, based in part on cell phone location evidence that placed them near the crime scenes, and they challenged their convictions in the Sixth Circuit.

A panel of the Sixth Circuit held that the Fourth Amendment does not require a warrant for law enforcement officers to request historical “cell-site location information.” Writing for the majority, Judge Kethledge determined that a warrant was not needed for the records under the third-party doctrine, under which people have no legitimate expectation of privacy in information voluntarily turned over to third parties, such as telephone companies and internet service providers. Judge Stranch concurred in the judgment in part, and wrote separately to note that the court’s “precedent suggests the need to develop a new test to determine when a warrant may be necessary” for personal location information that is neither “relatively innocuous routing information nor precise GPS locator information,” the latter of which was held to implicate the Fourth Amendment in United States v. Jones, 132 S. Ct 945 (2012).

The Sixth Circuit joined the Fourth, Fifth, and Eleventh Circuits in holding that the Fourth Amendment does not require a warrant for law enforcement to seek historical cell-site location data. Neither the government nor the petitioner sought review of whether the good-faith exemption to the Fourth Amendment’s exclusionary rule applied. Accordingly, the significant case will afford the Court the opportunity to weigh in on the third-party doctrine, which lies at the foundation of modern surveillance law. The Court’s decision to consider the Fourth Amendment’s protection of location data comes after years of calls upon Congress to modernize the 1986 law governing the protection of electronic information.

Second Circuit in Silk Road Appeal: No Fourth Amendment Protection in IP Addresses under the Third Party Doctrine

In February 2015, a jury convicted Ross Ulbricht of drug trafficking and other crimes associated with his creation and operation of Silk Road, an online marketplace whose users primarily purchased and sold illegal goods and services.  A federal judge in the U.S. District Court for the Southern District of New York then sentenced Ulbricht to life imprisonment.  On Wednesday, the Second Circuit upheld the conviction and sentence “in all respects.”  In affirming the conviction, the appeals court rejected Ulbricht’s claim that much of the evidence against him should have been suppressed because it was obtained in violation of his Fourth Amendment rights.

The Second Circuit rejected Ulbricht’s argument that the pen/trap orders that the government used to monitor IP address traffic to and from his home router violated the Fourth Amendment because the government obtained the orders without a warrant.  The government obtained authorization to use pen registers and trap and trace devices—which collect non-content data related to communications—under the Pen/Trap Act, 18 U.S.C. § 3122, which does not require a search warrant or the kind of showing generally required to obtain such a warrant.

For Ulbricht to mount a successful Fourth Amendment challenge to the pen/trap orders that the government obtained to monitor the IP address traffic to and from the various devices associated with him, he was required to show that he personally has an expectation of privacy in the IP addresses.  Since the Supreme Court’s lodestar 1979 decision in Smith v. Maryland, courts have held that people have no legitimate expectation of privacy in information voluntarily turned over to third parties.  The concept, which has become known as the “third party doctrine,” originated in the context of the telephone, as telephone users voluntarily convey numerical information (i.e., phone numbers)—but not the content of communications (i.e. the content of telephone conversations)—to the telephone company so that it could connect its call.  Courts have since extended the doctrine to e-mail and internet addresses, holding that internet users do not have a legitimate expectation of privacy in information provided to and used by internet service providers for the purpose of directing the routing of information.

The Second Circuit joined the Third, Eighth, and Ninth Circuits in holding that there is no Fourth Amendment protection in IP address information under the third-party doctrine.  The court reasoned that the “recording of IP address information and similar routing data, which reveal the existence of connections between communications devices without disclosing the content of the communications, are precisely analogous to the capture of telephone numbers at issue in Smith.”  The Court rejected the notion that some aspects of modern technology, which entrust great quantities of significant personal information to third party vendors and make extensive government surveillance possible, call for a reevaluation of the third-party doctrine.

The court was careful, however, to confine the scope of its holding.  The court noted that its decision was “narrowly confined to orders that are limited to the capture of IP addresses, TCP connection data, and similar routing information,” and did not “address other, more invasive surveillance techniques that capture more information (such as content),” including historical cell-site location information, which may require a warrant or other court order.

The Second Circuit also rejected Ulbricht’s argument that the warrants authorizing the government to search his laptop as well as his Google and Facebook accounts violated the Fourth Amendment’s particularity requirement.  The court relied principally on the distinction between breadth and particularity:  a warrant may be broad, in that it authorizes the government to search an identified object for a wide range of potentially relevant material—and, incidentally, exposes significant information that is not responsive to the warrant—without violating the particularity requirement.  The court disagreed that a search warrant is insufficiently particular where it fails to specify specific search terms and protocols.  To illustrate its point, the court explained that Ulbricht kept records of certain encrypted chats in a file labeled “mbsobzvkhwx4hmjt.”  The government would not have been able to obtain these responsive files with a pre-planned keyword search.  The court’s decision makes clear that warrants authorizing searches of computers, like all search warrants, do not require such ex ante protocols to be constitutionally particular.