FCC Seeking Comment on Key TCPA Reform Issues in Wake of DC Circuit Ruling

By Melanie Ramey

Yesterday, the Federal Communications Commission (“FCC”) released a Public Notice seeking comment on a range of issues relevant to its interpretation of the Telephone Consumer Protection Act (“TCPA”), including how the FCC should interpret what constitutes an “automatic telephone dialing system” in the wake of a recent decision by the U.S. Court of Appeals for the District of Columbia Circuit to vacate the agency’s prior interpretation of that term.

This same issue was the focus of a petition for declaratory ruling filed earlier this month by the U.S. Chamber Institute for Legal Reform and a number of other industry organizations.

The Public Notice seeks comment on a range of other TCPA issues, some of which also were addressed by the D.C. Circuit’s recent decision.  These include how calls to reassigned mobile telephone numbers should be treated under the TCPA and the ways in which a party may revoke his or her prior express consent to receive automated or prerecorded calls under the statute.  Continue Reading

Supreme Court Unanimously Holds that Unauthorized Driver Has Reasonable Expectation of Privacy in Rental Car

By Lauren Moxley

Today, the Supreme Court released its decision in Byrd v. United States.  The Court held that under the Fourth Amendment, a driver of a rental vehicle can challenge a search of the vehicle even if he is not listed as an authorized driver on the rental agreement.

The case began in September 2014, at a Budget car rental facility in New Jersey.  While Terrence Byrd waited outside, Latasha Reed, his partner with whom he shares five children, entered the facility and signed the car rental agreement.  The agreement stated that additional drivers would only be allowed “with prior written consent.”  Reed did not add any drivers to the agreement.  Upon leaving the rental car facility, Reed gave the keys to Byrd, who began driving to Pittsburgh.  On the way, Byrd passed a Pennsylvania State Trooper, who was suspicious of Byrd because he was driving with his hands at the “10 and 2” position.

The officer pulled Byrd over for a possible traffic violation.  The officer and his partner learned that Byrd was not listed as an authorized driver on the rental agreement, and that Byrd had prior drug and weapons convictions.  Byrd told the officers that he had a marijuana cigarette in the car.  Without Byrd’s consent, the officers then searched the rental car, where they discovered a bullet-proof jacket and 49 bricks of heroin.

Byrd was charged with possession of heroin with intent to distribute and possession of body armor after a felony conviction for a violent crime.  Byrd argued that the evidence obtained in the search could not be used as evidence against him because the troopers lacked probable cause to search the trunk.  In response, the government argued that the officers did not need Byrd’s consent because he was not listed as an authorized driver on the rental agreement, and therefore had no expectation of privacy under the Fourth Amendment.

The district court agreed with the government that Byrd did not have had a reasonable expectation of privacy in the car because he was not an authorized driver on the rental car agreement.  The Third Circuit affirmed.  Neither court decided whether the troopers had probable cause to search the car.  On appeal to the Supreme Court, Byrd argued that whether he was on the rental car agreement was irrelevant to whether he had a reasonable expectation of privacy under the Fourth Amendment.  Rather, he argued, the relevant question is whether he has “possession and control” over the car—possession and control that he had, as Reed had rented the car and allowed him to drive it.

In a unanimous decision written by Justice Kennedy, the Supreme Court ruled for Byrd.  The Court rejected the government’s contention that drivers who are not listed on rental agreements always lack an expectation of privacy in the car, which “rests on too restrictive a view of the Fourth Amendment’s protections.”  The Court likewise rejected the government’s argument Byrd lacked a reasonable expectation of privacy based on the rental agreement.  “As anyone who has rented a car knows, car-rental agreements are filled with long lists of restrictions,” the Court wrote, including “prohibitions on driving the car on unpaved roads or driving while using a handheld cellphone.”  The government conceded that violating provisions like these had nothing to do with a driver’s reasonable expectation of privacy in the rental car, and the Court concluded that “there is no meaningful difference between the authorized-driver provision and the other provisions the Government agrees do not eliminate an expectation of privacy, all of which concern risk allocation between private parties—violators might pay additional fees, lose insurance coverage, or assume liability for damage resulting from the breach.”  (This reasoning may be invoked in future cases addressing the relationship between Fourth Amendment rights and Terms of Service.)

In turn, the Court rejected Byrd’s argument that a rental car’s sole occupant always has an expectation of privacy based on mere possession and control.  Without qualification, the Court reasoned, Byrd’s rule would include thieves or others who lack a reasonable expectation of privacy.

The Court’s decision expressly grounded the Fourth Amendment’s reasonable expectation of privacy test in “property concepts.”  While the Court made clear that property-based understandings of the Fourth Amendment are not always dispositive as to reasonable expectations of privacy, it suggested that where Fourth Amendment standing derives from ownership and possession of property, property-based principles may guide resolution of the reasonable expectations of privacy test.  Under the traditional property-based understanding of the Fourth Amendment, legitimate presence on the premises of the place searched, standing alone, is not enough to accord a reasonable expectation of privacy.  So too, the right to exclude others is one of the main rights attaching to property, and the one who owns or lawfully possesses or controls property will in all likelihood have a legitimate expectation of privacy by virtue of the right to exclude.

Despite the favorable decision for Byrd, the evidence against him may still be admissible—and his conviction may still be affirmed.  The Court remanded the case back to the lower courts to determine two issues.  First, whether Byrd still had an expectation of privacy even though he had engaged in “subterfuge” by using Reed to mislead the car rental company; and second, whether, even if Byrd had a right to object to the search, the police otherwise had probable cause for the search.

Covington IoT Update: U.S. Legislative Roundup on IoT

As policymakers weigh the many policy implications associated with the Internet of Things (“IoT”), U.S. lawmakers have put forward a variety of proposals for studying—and regulating—IoT devices.  Although the likelihood of current proposals becoming law this term remain uncertain at best, existing legislative proposals provide important context and insight into the ways that lawmakers view IoT and the government’s role in fostering and regulating the technology.

Below, we summarize five draft bills in the U.S. that approach IoT from different perspectives—including seeking to develop IoT technologies, imposing contractual requirements on companies that provide IoT devices to the government, regulating specific security standards, and creating new resources for consumers to better understand the security and reliability of their IoT devices.

Developing Innovation and Growing the Internet of Things (“DIGIT”) Act

The DIGIT Act was introduced in the Senate (S. 88) and the House (H.R. 686) in January 2017 to foster the development of IoT technologies.  The Act was passed by the Senate in August 2017 on a voice vote, but has stalled in the House.  The measure would direct the Secretary of Commerce to convene a “working group of Federal stakeholders” to create recommendations and a report to Congress on IoT.  The working group would:

  • Identify any federal regulations, statutes, grant practices, budgetary or jurisdiction challenges, and other sector-specific policies that are inhibiting or could inhibit the development of IoT;
  • Consider policies or programs to improve federal agency coordination on IoT;
  • Consider any findings or recommendations made by a new steering committee (described below) and act to implement those recommendations where appropriate; and
  • Examine how federal agencies can benefit from, currently use, and are prepared to adopt IoT, including any additional security measures that may be needed for IoT adoption by the federal government.

The Act would also create a new steering committee of non-federal-government representatives, tasked with advising the working group about issues including the availability of adequate spectrum, international proceedings relating to IoT, and policies and programs affecting individual privacy and critical infrastructure protection.

The DIGIT Act also would require the Federal Communications Commission (“FCC”), in consultation with the National Telecommunications and Information Administration (“NTIA”), to issue a notice of inquiry seeking public comment on current and future spectrum needs relating to the IoT, including regulatory barriers to necessary spectrum, the role of licensed and unlicensed spectrum in the IoT, and whether adequate spectrum is currently available.

Internet of Things Cybersecurity Improvement Act of 2017

This bill focuses on IoT devices purchased by the U.S. Government—and mandates specific contractual provisions agencies are to include in any contract for such devices.  It was introduced in the Senate (S. 1691) in August 2017.

The measure requires the Director of the Office of Management and Budget (“OMB”) to issue guidelines with specific contractual clauses for each executive agency to require in contracts for the acquisition of internet-connected devices.  These contractual provisions would require:

  • Written certification by the contractor that the device:
  • does not contain any known security vulnerability or defect;
  • relies on software capable of being updated by the vendor;
  • uses only non-deprecated industry standard protocols for communication, encryption, and internet connection; and
  • does not contain fixed or hard-coded credentials used for remote administration.
  • Notification by the contractor to the purchasing agency of any known vulnerabilities or defects subsequently disclosed or discovered;
  • The device to be updated or replaced to allow for patches or repair;
  • The provision of repair or a replacement device in a timely manner with respect to any new vulnerability discovered (if it cannot be patched or remediated); and
  • The provision of information about how the device receives security updates, the timeline for ending security support, formal notice when security support has ceased, and other information recommended by the NTIA.

The bill provides exceptions for devices with limited data processing and functionality where security would be “unfeasible” or “economically impractical.”  In certain cases, it also allows agencies to rely on compliance with existing third-party or agency security standards in lieu of these requirements, when the other standards provide an equivalent level of security.

Securing the IoT Act of 2017

This measure, introduced in the House in March 2017 (H.R. 1324), is a targeted bill that would require the FCC to establish cybersecurity standards that radio frequency equipment must meet throughout its lifecycle (design, installation, and retirement) in order to be certified under the FCC’s technical standards for equipment authorization.

Cyber Shield Act of 2017

This consumer-focused bill, introduced in the House (H.R. 4163) and Senate (S. 2020) in October 2017, would create a voluntary labeling and “grading” system for IoT devices.  Specifically, it directs the Secretary of Commerce to establish a voluntary program to “identify and certify covered products with superior cybersecurity and data security through voluntary certification and labeling.”  Under this program, products may be given grades that “display the extent to which a product meets the industry-leading cybersecurity and data security benchmarks.”

As part of the program, the Secretary of Commerce is also directed to establish and maintain cybersecurity and data security benchmarks, by convening and consulting interested parties and federal agencies.

The IOT Consumer Tips to Improve Personal Security Act of 2017

This consumer-focused measure, introduced in the Senate in December 2017 (S. 2234) would require the Federal Trade Commission to develop cybersecurity resources for consumer education and awareness regarding the purchase and use of IoT devices.  These resources are to be technology-neutral and are to include guidance, best practices, and advice for consumers to protect against, mitigate, and recover from cybersecurity threats or security vulnerabilities.

EU Releases e-Evidence Proposal for Cross-Border Data Access

On April 17, 2018, the European Commission published the e-Evidence Initiative, long-awaited legislation that would create a new framework for European Union (“EU”) Member States to access content data and metadata (collectively “e-evidence”) across national borders.  The European Commission released the proposal less than one month after the United States created its own framework governing cross-border data access in enacting the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act.  Like the CLOUD Act, the e-Evidence Initiative would provide new tools for law enforcement to obtain data stored across national borders for criminal investigations.  Importantly, too, the proposal would enable EU law enforcement authorities to obtain data directly from providers—including providers based outside the EU—and potentially regardless of which entity in the provider’s corporate structure has possession or custody over the data.

The e-Evidence Initiative includes two distinct measures: a proposed Regulation and a proposed Directive.

The Proposed Directive

The proposed Directive requires providers of certain online services to maintain a legal representative in the EU.  Specifically, it requires every such provider that either (1) is “established” in an EU Member State (e.g., through a subsidiary), or (2) has a “substantial connection” to at least one Member State (e.g., by virtue of a significant number of users there, or targeting its activities to users in Member State), to appoint a legal representative in at least one Member State.

The legal representative must have the capacity to process and fulfill orders from authorities in any Member State to preserve or produce electronic data for use in criminal proceedings—even orders from authorities in Member States in which the provider does not conduct business.  If the representative fails or is unable to comply with the order, both the legal representative and the provider it represents may be subject to sanctions.

The Proposed Regulation

The Regulation would create two new legal instruments: a European Production Order (“EPO”) and a European Preservation Order (“EPrO”).  Member State authorities could use these orders to compel the preservation or production, on a cross-border basis, of four data types: content data, transactional data, subscriber data, and access data.  A variety of technology companies would be covered by the Regulation, including electronic communications service providers, cloud providers, social networks, online marketplaces, hosting service providers, and providers of internet infrastructure such as IP address and domain name registries.  EPOs and EPrOs would only apply to stored data, however; they could not be used to intercept real-time communications.

Production Orders

The proposed Regulation would empower authorities in one Member State to use an EPO to directly compel a provider in a second Member State to disclose data.  EPOs would compel such disclosure regardless of where the data is stored—even if it is stored outside the EU.  The provider must respond to an EPO within 10 days, or within 6 hours where there is “imminent threat to life or physical integrity of a person or to a critical infrastructure,” subject to certain exceptions.  Authorities may issue an EPO for subscriber or access data for all criminal offenses, but for content or transactional data only for serious offenses (i.e., those with a minimum of a three-year sentence in the issuing Member State, or certain cyber and terrorism-related crimes).

The proposed Regulation includes an “enterprise exception” for EPOs: when authorities seek data that a provider holds on behalf of another company or entity, the EPO may only be addressed to the provider “where investigatory measures addressed to the company or the entity are not appropriate, in particular because they might jeopardise the investigation.”

Preservation Orders

Member State authorities could use an EPrO to directly compel a provider in a second Member State to preserve data (i.e., to prevent its deletion), regardless of where the data is stored.  Authorities could issue an EPrO for any of the four data types mentioned above, and for all criminal offenses.

Challenging Production and Preservation Orders

Providers may object to EPOs and EPrOs on a number of grounds.  For example, a provider may oppose an order if it was not issued by a proper issuing authority, if the provider cannot comply because of de facto impossibility, if the provider is not storing the data requested, if the request is not for services covered by the Regulation, or if it is apparent that the order “manifestly violates” the EU Charter of Fundamental Rights or is “manifestly abusive.”

In addition, the proposed Regulation establishes two mechanisms though which a provider could challenge an EPO based on a conflict between production obligations under the order and obligations under a third-country law (i.e., one other than an EU or Member State law).  First, the provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.”  Where a provider raises such a challenge, issuing authorities can request review of the order by a Member State court.  If the court establishes that a conflict exists, the court must notify authorities in the third-party country; if that third-party country objects to execution of the order, the court must set it aside.

Second, a provider may refuse to comply with an order because it would force the provider to violate a third-country law that protects interests other than fundamental rights or national security and defense.  In such cases, the parties follow the same procedures as above, except that the court, rather than notifying the foreign authorities, conducts a multi-factor analysis to decide whether to enforce the order.

Global Implications

The e-Evidence Initiative would have a number of important policy consequences, not only for EU-based cloud customers, technology companies, and law enforcement authorities, but also for technology companies and cloud customers based outside of the Union.  By requiring providers within its scope to appoint a legal representative that can comply with Member State production and preservation orders, the Directive would give law enforcement authorities across the EU the ability to compel providers based outside the EU to produce data—potentially even regardless of which entity in the provider’s corporate group has possession or custody over the data.  This reading could result in a significant expansion of Member State jurisdiction over digital data held by service providers located outside the EU.

Virginia Supreme Court Holds that Police License Plate Readers Collect Personal Information

By Katie Bies

The Virginia Supreme Court held that license plate images taken by law enforcement agencies constitute “personal information,” reviving a challenge to the police storage of license plate data.

Automatic license plate readers (“ALPRs”) are used by police departments across the country to take thousands of photos of license plates per hour.  Officers check these numbers against lists of stolen or wanted vehicles.  Because ALPRs also record the date, time and location of the license plate image, groups such as the American Civil Liberties Union have argued that this collection is an invasion of privacy that allows police to track a person’s movements.

The Virginia Supreme Court’s ruling marks a significant development in a case challenging the mass collection of license plate images and location data by ALPRs.  In 2015, the ACLU sued the Fairfax County Police Department (“FCPD”) on behalf of Harrison Neal, a motorist whose license plate had been captured twice and stored pursuant to a FCPD policy for one year.  Neal alleged that FCPD’s collection and storage of ALPR data violates Virginia’s Data Act, a statute designed to prevent the unnecessary collection and storage of personal information by government agencies.  However, the circuit court rejected Neal’s claim.  The court ruled that a license plate number is not “personal information” under the Data Act because the number refers to a vehicle rather than an individual. Continue Reading

Mobile Phone Manufacturer Settles with FTC Over Allegations that Its Vendor Collected Personal Data without Consent

By Melanie Ramey

Mobile phone manufacturer BLU Products, Inc. entered into a settlement agreement with the FTC last week to resolve allegations that one of BLU’s China-based vendors collected personal information about its consumers without proper consent.

The settlement agreement, which took the form of a consent order, applies not only to BLU but also to its CEO and any other companies he owns and controls.  It requires that the company clarify its disclosures regarding customer data use and protection. It also requires BLU to implement a new data security program. In the new security program, BLU must address security risks related to the development and management of new and existing covered devices and must better protect the security, confidentiality, and integrity of personal information. These improved protections include developing and using reasonable steps to select and retain service providers capable of appropriately safeguarding consumer personal information. “Personal information” is defined in this context to include persistent identifiers such as cookies. Continue Reading

Changes Are Underway at the FTC As New Commissioners Are Sworn In

On Tuesday, Joseph Simons was sworn in as the new Chairman of the Federal Trade Commission.  The five-member Commission will soon be at full strength, as Simons is set to be joined by four other new FTC Commissioners, each of which were confirmed for seven-year terms by the Senate on April 26: Democrats Rebecca Kelly Slaughter and Rohit Chopra, and Republicans Noah Phillips and Christine Wilson.  Slaughter, Chopra, and Phillips are each expected to be sworn in this week, although Wilson will not take office until the Senate confirms Commissioner Ohlhausen’s nomination as a judge on the U.S. Court of Federal Claims.

The new Commissioners, with the exception of Slaughter, have backgrounds focusing more on competition and antitrust matters, as opposed to privacy and consumer protection.  As such, we will have to wait and see as to their views on privacy issues, and the FTC’s resulting priorities. Continue Reading

Covington Artificial Intelligence Update: House of Lords Select Committee publishes report on the future of AI in the UK

Reflecting evidence from 280 witnesses from the government, academia and industry, and nine months of investigation, the UK House of Lords Select Committee on Artificial Intelligence published its report “AI in the UK: ready, willing and able?” on April 16, 2018 (the Report). The Report considers the future of AI in the UK, from perceived opportunities to risks and challenges. In addition to scoping the legal and regulatory landscape, the Report considers the role of AI in a social and economic context, and proposes a set of ethical guidelines. This blog post sets out those ethical guidelines and summarises some of the key features of the Report. Continue Reading

4th Circuit Affirms Dismissal of TCPA Suit Based on ‘Derivative Sovereign Immunity’

Earlier this week, the Fourth Circuit Court of Appeals affirmed a lower court decision to dismiss a Telephone Consumer Protection Act (“TCPA”) lawsuit against General Dynamics Information Technology, Inc. (“GDIT”), on the basis that GDIT was immune from suit as a government contractor under what is known as the “Yearsley doctrine.”  Craig Cunningham v. GDIT, No. 17-1592 (Apr. 24, 2018).

GDIT was hired to assist the Centers for Medicare and Medicaid Services (“CMS”), a government agency, by calling individuals using an autodialer and a pre-approved script to provide information about their health insurance options under the Affordable Care Act.  When plaintiff Craig Cunningham received one of these calls, he filed a lawsuit alleging that GDIT had violated the TCPA for failing to obtain his prior consent.

The Fourth Circuit agreed with the lower court finding that GDIT was immune from suit under the Supreme Court’s Yearsley doctrine.  In Yearsley, the Supreme Court held that the doctrine of sovereign immunity that traditionally applies to the U.S. government may be extended to government contractors in instances where (1) the government authorized the contractor’s actions in question; and (2) the government “validly conferred” such authorization.  Yearsley v. W.A. Ross Construction Co., 309 U.S. 18, 20-21 (1940).  More recently, the Supreme Court applied the Yearsley doctrine to the TCPA, holding that contractors may be exempt from TCPA claims so long as they are lawfully acting on behalf of the government.  Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663, 672 (2016).

Continue Reading

Senators Klobuchar and Kennedy Introduce Privacy Legislation

On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018.  The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.

“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”

Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place.  Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.”  Continue Reading