Inside Privacy Audiocast: Episode 1 – Post-Schrems II: Paving A Way Forward

The Court of Justice of the European Union’s recent decision in the “Schrems II’ case was one of the most highly anticipated decisions in the world of data privacy, striking down the EU-U.S. Privacy Shield, but upholding the validity of standard contractual clauses.

Tune in to the first episode of Covington’s Inside Privacy Audiocast, where Dan Cooper moderates a discussion with Kristof Van Quathem, who was part of Covington’s case team, on the implications of the judgment. Our speakers offer valuable insights on how companies should pave the way forward in a post-Schrems II environment.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI

On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG”) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to mitigate those risks.

The Assessment List is not mandatory, and there isn’t yet a self-certification scheme or other formal framework built around it that would enable companies to signal their adherence to it.  The AI HLEG notes that the Assessment List should be used flexibly; organizations can add or ignore elements as they see fit, taking into consideration the sector in which they operate. As we’ve discussed in our previous blog post here, the European Commission is currently developing policies and legislative proposals relating to trustworthy AI, and it is possible that the Assessment List may influence the Commission’s thinking on how organizations should operationalize requirements relating to this topic. Continue Reading

EU’s Highest Court Strikes Down Privacy Shield But Upholds Other Key International Data Transfer Mechanism

Today, the Court of Justice of the European Union issued a landmark decision striking down the EU-U.S. Privacy Shield—an agreement between EU and U.S. authorities authorizing transfers of EU personal data to the United States—but upholding the validity of standard contractual clauses (“SCCs”), another mechanism that EU-based organizations use to transfer data internationally. Covington represents BSA | The Software Alliance (“BSA”) in the case, and key aspects of BSA’s arguments on the validity of SCCs were reflected in the Court’s decision.

Continue Reading

Two Years of Carpenter

Last month marks two years since the Supreme Court held, in Carpenter v. United States, that the Fourth Amendment applies to cell phone company records that detail a cell phone user’s location and movements.  Under Carpenter, police are generally required to use a warrant to obtain seven days or more of a user’s cell-site location information from phone companies.

As we previously reported, Carpenter redefined how the Fourth Amendment applies to information held by technology companies in the digital age.  Prior to Carpenter, the Court applied the third-party doctrine, under which a person who voluntarily revealed information to third parties—such as telephone companies, banks, or technology companies—lacks a reasonable expectation of privacy in that information and therefore forfeits Fourth Amendment protections.  In Carpenter, the Court declined to apply the third-party doctrine to cell-site location information, even though the cell phone user revealed their location information to their phone company.  Despite the significance of this ruling, the Court said that its decision in Carpenter was a “narrow one” that did not “address other business records that might incidentally reveal location information” or “consider other collection techniques involving foreign affairs or national security.” Continue Reading

Supreme Court Invalidates TCPA Government-Debt Exception

Today, the Supreme Court issued its decision in Barr v. American Association of Political Consultants, which addressed the constitutionality of the Telephone Consumer Protection Act (TCPA).  Although the Court splintered in its reasoning—producing four separate opinions—the justices nevertheless coalesced around two core conclusions: (1) the TCPA’s exception for government debt collection calls is unconstitutional, and (2) the exception can be severed from the rest of the TCPA.  Six justices determined that the TCPA’s government-debt exception violates the First Amendment, and seven justices concluded that the exception is severable from the rest of the statute.  The end result is that the government-debt exception is invalid but the rest of the TCPA—including its general prohibition on automated calls and text messages to mobile numbers—remains intact.  The narrow scope of this ruling suggests that it may have limited practical effect for most parties.

As we previously explained, the TCPA, as originally enacted in 1991, restricts the use of an automatic telephone dialing system (ATDS) to transmit calls or texts to mobile numbers without the recipient’s prior express consent (the ATDS prohibition).  In 2015, Congress amended the TCPA to exempt from the ATDS prohibition calls made to collect a debt owed to the United States.  The question before the Supreme Court was whether the government-debt exception violates the First Amendment and, if so, whether the proper remedy is to sever the exception—leaving intact the rest of the TCPA—or invalidate the entire ATDS prohibition. Continue Reading

Lawful Access to Encrypted Data Act Introduced

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data.  The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion.  It would also apply to both criminal and national security legal process.  This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data.  According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”

The bill has three main provisions: Continue Reading

China Issued the Draft Data Security Law

On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment.  The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus on the governance of “important data,” defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.”  Many provisions of the Draft Law remain vague and lack guidance on how they might be implemented in practice.

Continue Reading

FCC Issues Two TCPA Declaratory Rulings, One Clarifying Autodialer Definition

Earlier this week, the Federal Communications Commission’s (FCC’s) Consumer and Government Affairs Bureau released a Declaratory Ruling clarifying the agency’s interpretation of the “Automatic Telephone Dialing System” (an “autodialer” or “ATDS”) definition in the Telephone Consumer Protection (TCPA).  The Ruling clarified that, in the context of a call or text message platform, the definition does not turn on whether the platform is used by others to transmit a large volume of calls or text messages; instead, the relevant inquiry is whether, in this context, the platform is capable of transmitting calls or text messages without a user manually dialing each such call or text message.

The Declaratory Ruling was issued in response to a Petition filed by the P2P Alliance  seeking confirmation that its text messaging platform is not an autodialer and therefore not subject to the TCPA’s ATDS-related consent requirements.  These requirements generally prohibit using an ATDS to call or text a mobile number without the recipient’s consent.  The Petition stated that the text messaging platform at issue required users of the platform “to actively and affirmatively manually dial each recipient’s number and transmit each message one at a time.”  The Petition also stated that recipients generally would provide their consent to receive such messages by providing their mobile numbers to the platform’s users. Continue Reading

FERC Requests Comments on Grid Cybersecurity Initiatives

In a new post on the Covington Energy & Environment Blog, our colleagues discuss the Federal Energy Regulatory Commission’s Notice of Inquiry on updating reliability standards related to cybersecurity, especially given the threat of a coordinated cyberattack targeting geographically distributed generation resources.  The Commission also issued a staff paper that suggests a framework for providing incentives in transmission rates for cybersecurity investments.  To read the post, please click here.

PACT Act Would Deny Section 230 Immunity in Certain Instances and Impose Greater Transparency, Process, and Enforcement Mandates

Continuing the flood of recent proposals to amend the scope of Section 230 of the 1996 Communications Decency Act, a bipartisan group of Senators unveiled the Platform Accountability and Consumer Transparency Act (“PACT Act”) last week.  Proposed by Senators Brian Schatz (D-HI) and John Thune (R-SD), the PACT Act comes on the heels of legislative proposals from Senate Republicans, a Department of Justice report with proposed amendments to the law—both of which we analyzed here—and the Trump Administration’s executive order on Section 230.

The PACT Act would amend Section 230 to include an “intermediary liability standard.”  Under this standard, Section 230’s immunity protections would no longer apply to any interactive computer service provider that “has knowledge” of any illegal content or illegal activity occurring on their service and that “does not remove the illegal content or stop the illegal activity within 24 hours of acquiring that knowledge.”  “Knowledge” of the illegal content requires notification in writing that identifies the illegal content or activity with “information reasonably sufficient to permit the provider to locate” it, as well as a copy of the Federal or State court order determining such content violated Federal law or State defamation law. Continue Reading

LexBlog