On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under the new EU-U.S. Data Privacy Framework. The framework was announced by the U.S. and the EU Commission in March 2022, after reaching a political agreement in principle (see our blog post
In March, the Supreme Court issued its decision in Federal Bureau of Investigation v. Fazaga, No. 20-828, holding that the state secrets privilege—and its dismissal remedy—applies to cases that may also be subject to the judicial review procedures set forth in the Foreign Intelligence Surveillance Act (“FISA”). In so holding, the Court reversed the Ninth Circuit’s 2020 ruling that FISA displaces the state secrets privilege in cases involving electronic surveillance.
Continue Reading Supreme Court Holds FISA Does Not Displace the State Secrets Privilege
On January 18, 2022, a New Jersey bill which prohibits employers from making use of tracking devices in vehicles operated by employees without providing written notice was passed into law. See Assembly Bill A3950. Effective April 18, 2022, the law will subject employers that knowingly make use of a “tracking device” in a vehicle used by an employee without providing written notice to the employee to civil penalties not exceeding $1,000 for the first violation and not exceeding $2,500 for the second violation. Id.…
Continue Reading New Jersey Law Requires Employers to Provide Notice Before Tracking Vehicles
On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices. The new law amends the state’s civil rights law and takes effect on May 7, 2022.
Continue Reading New York Requires Businesses To Notify Employees of Electronic Monitoring
On November 1, 2021, the Supreme Court denied a petition for a writ of certiorari in American Civil Liberties Union v. United States. In its petition, the American Civil Liberties Union (ACLU) sought the Supreme Court’s review of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review’s (FISCR) decisions declining to release court records to the ACLU.
Continue Reading The Supreme Court Denies Certiorari in American Civil Liberties Union v. United States
On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg. This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR
Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data. The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion. It would also apply to both criminal and national security legal process. This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data. According to its sponsors, the purpose of the bill is to “end the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”
The bill has three main provisions:…
Continue Reading Lawful Access to Encrypted Data Act Introduced
On June 16, 2020, the First Circuit released its opinion in United States v. Moore-Bush. The issue presented was whether the Government’s warrantless use of a pole camera to continuously record for eight months the front of Defendants’ home, as well as their and their visitors’ comings and goings, infringed on the Defendants’ reasonable expectation of privacy in and around their home and thereby violated the Fourth Amendment. The appeal followed the district court’s decision in June 2019 in favor of Defendants’ motions to exclude evidence obtained via the pole camera. The Government, without obtaining a warrant, had installed a pole camera on a utility pole across the street from Defendants’ residence. The pole camera (1) took continuous video recording for approximately eight months, (2) focused on the driveway and the front of the house, (3) had the ability to zoom in so close that it can read license plate numbers, and (4) created a digitally searchable log.
In their motions to exclude, the Defendants, relying on Katz v. United States, argued they had both a subjective and objective reasonable expectation of privacy in the movements into and around their home, and that the warrantless use of the pole camera therefore constituted an unreasonable search under the Fourth Amendment. The Government relied on an earlier First Circuit case, United States v. Bucci, which held that there was no reasonable expectation of privacy in a person’s movements outside of and around their home—“An individual does not have an expectation of privacy in items or places he exposes to the public.” Thus, Bucci held that use of a pole camera for eight months did not constitute a search.
Continue Reading United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home
As we anticipated in a previous blog post, on April 22, 2020, the European Data Protection Board (“EDPB”) issued new guidelines on the use of location data and contact tracing apps in the context of the present COVID-19 pandemic.
The EDPB’s close scrutiny over the use of mobile data and apps in the context of the ongoing public health crisis is unsurprising, as many EU Member States have launched—or are in the process of launching—contact tracing apps to fight the spread of the virus, and these initiatives are receiving great attention by data privacy authorities and the general public (see our blog post here).
The guidelines aim to clarify the data protection conditions and principles that should be followed when:
- using location data to model the spread of the virus to assess the overall effectiveness of confinement measures; and
- using contact tracing apps, which aim to notify individuals who may have been in close proximity to someone who is infected or confirmed as a carrier of the virus, in order to break the contamination chain as early as possible.
The EDPB stresses that EU data protection rules have been designed to be flexible and, as such, do not stand in the way of an efficient response to the pandemic. However, it notes that governments and private actors should be mindful of a number of considerations when they use data-driven solutions in response to the COVID-19 outbreak.…
On 8 April 2020, the European Commission adopted a recommendation on a common European Union toolbox for the use of technology and data to address the COVID-19 crisis (“Recommendation”). The Recommendation responds to calls for a common EU approach to the use of mobile apps in combatting COVID-19—one that improves the efficacy of the technology while respecting citizens’ privacy rights.
The Recommendation has since been complemented by a separate Commission guidance paper on COVID-19 apps (“Guidance”) and release of a Common EU Toolbox for Member States (“Toolbox”) by the EU’s eHealth Network, a Commission-established body comprised of Member State authorities responsible for eHealth matters. In addition, the European Data Protection Board (“EDPB”), which contributed to the Guidance, has published a letter to the Commission in response to the Guidance (“Letter”).
This blog will discuss the headline points contained within the Recommendation, Guidance, Toolbox, and Letter. We will publish more detailed analyses of the Toolbox and Guidance in subsequent blogs.…