Electronic Surveillance and Law Enforcement Access

Last week, the Ninth Circuit held in United States v. Wilson, No. 18-50440, 2021 WL 4270847, that a law enforcement officer violated a criminal defendant’s Fourth Amendment rights when he opened images attached to the defendant’s emails without a warrant, even though the images had previously been flagged as child sexual abuse materials (“CSAM”) by Google’s automated CSAM-detection software.  The court based its ruling on the private search exception to the Fourth Amendment, which permits law enforcement to conduct a warrantless search only to the extent the search was previously conducted by a private party.  Because no individual at Google actually opened and viewed the images flagged as CSAM, the court held that law enforcement “exceeded the scope of the antecedent private search,” thereby “exceed[ing] the limits of the private search exception.”  Op. at 20-21.

Continue Reading Ninth Circuit’s Interpretation of Private Search Exception to the Fourth Amendment Contributes to “Growing Tension” Among Circuit Courts

Last year, Apple’s iOS14 incorporated a new feature notifying users when an app copied from the iPhone’s clipboard.  The feature resulted in media scrutiny for a number of well-known apps, some of which faced putative class action lawsuits as a result.  A court in the Eastern District of California recently dismissed one such suit, Mastel v. Miniclip SA, No. 2:21-cv-00124 (E.D. Cal.).  In that decision, the court rejected a broad interpretation of telephone “instrument” under the California Invasion of Privacy Act (“CIPA”), concluding that non-telephonic smartphone functionality does not constitute a telephone instrument.
Continue Reading California Federal Court Adopts Narrow Reading of Telephone “Instrument” Under the California Invasion of Privacy Act

On June 24, 2021, Australian parliament passed legislation establishing a framework for its enforcement agencies to access certain electronic data held by companies outside of Australia for law enforcement and national security purposes.  The law paves the way for the establishment of a bilateral agreement with the United States under the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act.

Similar to the function of the CLOUD Act, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 enables Australian enforcement authorities to compel companies covered by the statute to provide data, regardless of where the data is stored.  The legislation introduces international production orders, a form of legal process for compelling real-time interception of communications or the production of stored communications and telecommunications data, which can be served directly on communications providers in foreign countries with which Australia has an agreement.
Continue Reading Australia Passes Cross-Border Data Access Law, Creates a Pathway for CLOUD Act Bilateral Agreement

In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.”  The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country.  According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”

The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.”  It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II

Last month marks two years since the Supreme Court held, in Carpenter v. United States, that the Fourth Amendment applies to cell phone company records that detail a cell phone user’s location and movements.  Under Carpenter, police are generally required to use a warrant to obtain seven days or more of a user’s cell-site location information from phone companies.

As we previously reported, Carpenter redefined how the Fourth Amendment applies to information held by technology companies in the digital age.  Prior to Carpenter, the Court applied the third-party doctrine, under which a person who voluntarily revealed information to third parties—such as telephone companies, banks, or technology companies—lacks a reasonable expectation of privacy in that information and therefore forfeits Fourth Amendment protections.  In Carpenter, the Court declined to apply the third-party doctrine to cell-site location information, even though the cell phone user revealed their location information to their phone company.  Despite the significance of this ruling, the Court said that its decision in Carpenter was a “narrow one” that did not “address other business records that might incidentally reveal location information” or “consider other collection techniques involving foreign affairs or national security.”
Continue Reading Two Years of Carpenter

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data.  The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion.  It would also apply to both criminal and national security legal process.  This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data.  According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”

The bill has three main provisions:
Continue Reading Lawful Access to Encrypted Data Act Introduced

On March 31st, Washington Governor Jay Inslee signed into law SB 6280, a bill aimed at regulating state and local government agencies’ use of facial recognition services.  An overview of the law’s provisions can be found here.

Notably, Governor Inslee vetoed Section 10 of the bill, which aimed to establish a legislative

On March 12, 2020, Washington’s state legislature passed SB 6280, a bill that will regulate state and local government agencies’ use of facial recognition services (“FRS’s”).  The bill aims to create a legal framework by which agencies may use FRS’s to the benefit of society (for example, by assisting agencies in locating missing or deceased persons), but prohibits uses that “threaten our democratic freedoms and put our civil liberties at risk.”
Continue Reading Washington State Passes Bill Limiting Government Use of Facial Recognition

On October 3, 2019, the United States and United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party. The Agreement will go into effect 180 days after its transmission to Congress by the Attorney General, unless Congress disapproves by joint resolution.

Continue Reading U.S. and U.K. Sign CLOUD Act Agreement

R (on the application of Edward Bridges) v The Chief Constable of South Wales [2019] EWHC 2341 (Admin)

Case Note

Introduction

In Bridges, an application for judicial review, the UK High Court (Lord Justice Haddon-Cave and Mr. Justice Swift) considered the lawfulness of policing operations conducted by the South Wales Police force (“SWP”) which utilised Automated Facial Recognition (“AFR”) technology.  The Court rejected Mr Bridges’ allegations that the SWP’s conduct was unlawful as contrary to the European Convention on Human Rights (“ECHR”), Article 8, the Data Protection Acts 1998 and 2018 (“DPA 98 and 18”), and the Equality Act 2010.  In this blog post we consider several key aspects of the case.


Continue Reading UK Court upholds police use of automated facial recognition technology