In March, the Supreme Court issued its decision in Federal Bureau of Investigation v. Fazaga, No. 20-828, holding that the state secrets privilege—and its dismissal remedy—applies to cases that may also be subject to the judicial review procedures set forth in the Foreign Intelligence Surveillance Act (“FISA”).  In so holding, the Court reversed the Ninth Circuit’s 2020 ruling that FISA displaces the state secrets privilege in cases involving electronic surveillance.

Continue Reading Supreme Court Holds FISA Does Not Displace the State Secrets Privilege

On January 18, 2022, a New Jersey bill which prohibits employers from making use of tracking devices in vehicles operated by employees without providing written notice was passed into law. See Assembly Bill A3950. Effective April 18, 2022, the law will subject employers that knowingly make use of a “tracking device” in a vehicle used by an employee without providing written notice to the employee to civil penalties not exceeding $1,000 for the first violation and not exceeding $2,500 for the second violation. Id.
Continue Reading New Jersey Law Requires Employers to Provide Notice Before Tracking Vehicles

On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices.  The new law amends the state’s civil rights law and takes effect on May 7, 2022.
Continue Reading New York Requires Businesses To Notify Employees of Electronic Monitoring

On November 1, 2021, the Supreme Court denied a petition for a writ of certiorari in American Civil Liberties Union v. United States. In its petition, the American Civil Liberties Union (ACLU) sought the Supreme Court’s review of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review’s (FISCR) decisions declining to release court records to the ACLU.
Continue Reading The Supreme Court Denies Certiorari in American Civil Liberties Union v. United States

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data.  The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion.  It would also apply to both criminal and national security legal process.  This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data.  According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”

The bill has three main provisions:
Continue Reading Lawful Access to Encrypted Data Act Introduced

On June 16, 2020, the First Circuit released its opinion in United States v. Moore-Bush.  The issue presented was whether the Government’s warrantless use of a pole camera to continuously record for eight months the front of Defendants’ home, as well as their and their visitors’ comings and goings, infringed on the Defendants’ reasonable expectation of privacy in and around their home and thereby violated the Fourth Amendment.  The appeal followed the district court’s decision in June 2019 in favor of Defendants’ motions to exclude evidence obtained via the pole camera.  The Government, without obtaining a warrant, had installed a pole camera on a utility pole across the street from Defendants’ residence.  The pole camera (1) took continuous video recording for approximately eight months, (2) focused on the driveway and the front of the house, (3) had the ability to zoom in so close that it can read license plate numbers, and (4) created a digitally searchable log.

In their motions to exclude, the Defendants, relying on Katz v. United States, argued they had both a subjective and objective reasonable expectation of privacy in the movements into and around their home, and that the warrantless use of the pole camera therefore constituted an unreasonable search under the Fourth Amendment.  The Government relied on an earlier First Circuit case, United States v. Bucci, which held that there was no reasonable expectation of privacy in a person’s movements outside of and around their home—“An individual does not have an expectation of privacy in items or places he exposes to the public.”  Thus, Bucci held that use of a pole camera for eight months did not constitute a search.
Continue Reading United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home

As we anticipated in a previous blog post, on April 22, 2020, the European Data Protection Board (“EDPB”) issued new guidelines on the use of location data and contact tracing apps in the context of the present COVID-19 pandemic.

The EDPB’s new guidelines complement and build on similar guidance previously issued by the Board itself (see here, here and here), and by the European Commission (see our blog post here).

The EDPB’s close scrutiny over the use of mobile data and apps in the context of the ongoing public health crisis is unsurprising, as many EU Member States have launched—or are in the process of launching—contact tracing apps to fight the spread of the virus, and these initiatives are receiving great attention by data privacy authorities and the general public (see our blog post here).

The guidelines aim to clarify the data protection conditions and principles that should be followed when:

  • using location data to model the spread of the virus to assess the overall effectiveness of confinement measures; and
  • using contact tracing apps, which aim to notify individuals who may have been in close proximity to someone who is infected or confirmed as a carrier of the virus, in order to break the contamination chain as early as possible.

The EDPB stresses that EU data protection rules have been designed to be flexible and, as such, do not stand in the way of an efficient response to the pandemic.  However, it notes that governments and private actors should be mindful of a number of considerations when they use data-driven solutions in response to the COVID-19 outbreak.

Continue Reading EDPB Issues New Guidance on the Use of Location Data and Contact Tracing in the Context of the COVID-19 Outbreak

On 8 April 2020, the European Commission adopted a recommendation on a common European Union toolbox for the use of technology and data to address the COVID-19 crisis (“Recommendation”).  The Recommendation responds to calls for a common EU approach to the use of mobile apps in combatting COVID-19—one that improves the efficacy of the technology while respecting citizens’ privacy rights.

The Recommendation has since been complemented by a separate Commission guidance paper on COVID-19 apps (“Guidance”) and release of a Common EU Toolbox for Member States (“Toolbox”) by the EU’s eHealth Network, a Commission-established body comprised of Member State authorities responsible for eHealth matters.   In addition, the European Data Protection Board (“EDPB”), which contributed to the Guidance, has published a letter to the Commission in response to the Guidance (“Letter”).

This blog will discuss the headline points contained within the Recommendation, Guidance, Toolbox, and Letter.  We will publish more detailed analyses of the Toolbox and Guidance in subsequent blogs.

Continue Reading EU Commission Releases Guidance on COVID-19 Apps

On October 31, 2019, Elizabeth Denham, the UK’s Information Commissioner issued an Opinion and an accompanying blog urging police forces to slow down adoption of live facial recognition technology and take steps to justify its use.  The Commissioner calls on the UK government to introduce a statutory binding code of practice on the use of biometric technology such as live facial recognition technology.  The Commissioner also announced that the ICO is separately investigating the use of facial recognition by private sector organizations, and will be reporting on those findings in due course.

The Opinion follows the ICO’s investigation into the use of live facial recognition technology in trials conducted by the Metropolitan Police Service (MPS) and South Wales Police (SWP).  The ICO’s investigation was triggered by the recent UK High Court decision in R (Bridges) v The Chief Constable of South Wales (see our previous blog post here), where the court held that the use of facial recognition technology by the South Wales Police Force (“SWP”) was lawful.

The ICO had intervened in the case.  In the Opinion, the Commissioner notes that, in some areas, the High Court did not agree with the Commissioner’s submissions.  The Opinion states that the Commissioner respects and acknowledges the decision of the High Court, but does not consider that the decision should be seen as a blanket authorization to use live facial recognition in all circumstances.

Continue Reading AI/IoT Update: UK’s Information Commissioner Issues Opinion on Use of Live Facial Recognition Technology by Police Forces