The Senate Judiciary Committee today successfully reported H.R. 1428, the Judicial Redress Act of 2015.  However, the bill included an amendment to the House-passed version that has the potential to influence current negotiations between the United States and the European Union to reach a new Safe Harbor agreement.

As we previously reported, the Judicial

On January 12, 2016, the European Court of Human Rights (ECtHR) ruled that an employer who had monitored an employee’s private communications during working hours had not breached the employee’s right to privacy (under Article 8 of the European Convention on Human Rights).

This judgment will influence how other European national courts and regulators view similar cases involving employer monitoring of employee private communications. However, the full scope of the judgement remains somewhat unclear; in particular, it remains unclear whether the ECtHR would apply similar logic if the monitored communications had been carried out through a personal account, rather than a professional one.  Employers should also take note that the judgment emphasizes the need for employer monitoring policies to be reasonable and proportionate.  The judgment is available in full here.
Continue Reading European Court of Human Rights Rules That Employers Can Monitor Employee Private Communications

Earlier this year, a woman sued her former employer for invasion of privacy and retaliation, claiming that she was fired after refusing to use a GPS tracking app that her employer required to be run at all times on her company issued mobile device, even outside of work hours.  That case appears to have been settled out of court, however in another case the National Labor Relations Board (“NLRB”) recently found that, at least in circumstances involving investigations of misconduct, employers may be entitled to track employee movements.  Specifically, the NLRB’s Division of Advice determined last month that an employer’s use of GPS tracking to monitor a unionized employee under investigation for misconduct did not constitute a “material, substantial, and significant” change in employees’ terms and conditions of employment.  Accordingly, the NLRB concluded that the employer had no obligation to bargain over the installation and use of the GPS device.
Continue Reading NLRB Says Employer Can Use GPS Device to Track Employees

In another ruling that adopts a narrow reading of the term “personally identifiable information” (“PII”) in the Video Privacy Protection Act (“VPPA), a New York district court held in Robinson v. Disney Online that a plaintiff failed to plead a VPPA claim against Disney based on Disney’s sharing a device ID and viewing information with a third party.

Plaintiff Robinson used a Roku, a video-streaming set-top box, to watch Disney videos on Disney’s Roku channel.  Each Roku device has a “Roku ID,” a unique serial number assigned to the device itself.  Robinson alleged that Disney sent a record of the videos he watched on its channel, along with a hashed version of his Roku ID, to Adobe, a third-party analytics company.  Adobe allegedly had the capability to use aggregated consumer data from various sources to identify users based on their hashed Roku IDs.  Robinson sued Disney under the VPPA.
Continue Reading Device IDs alone are not PII under the VPPA, New York district court rules.

A new post on Covington’s Inside Medical Devices blog discusses a new portal recently launched by HHS seeking questions from mobile health application developers.  The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications.  To read the post, click here.

On October 12, 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs (“LIBE”) Committee held a debate to discuss the aftermath of the ruling of the Court of Justice of the European Union (“CJEU”) ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (see summary of the ruling here and summary of the Advocate-General’s Opinion here).  The debate was chaired by the LIBE Committee Chair, Claude Moraes, and started with a presentation from the European Parliament’s Legal Service.  The Legal Service provided a summary of the CJEU’s decision, and set out the following points:

  • The ruling confirms the importance of the EU Charter of Fundamental Rights in protecting EU citizens, and the fact that all EU laws must comply with the Charter.  In this case, the Charter rights invoked included the right of all EU citizens to privacy and the right to an effective judicial remedy.  It can be concluded from the CJEU’s ruling that the Data Protection Directive 95/46/EC does comply with the Charter.
  • Both the Charter of Fundamental Rights and the Data Protection Directive 95/46/EC provide a high level of protection to EU citizens’ personal data, whether the data are situated inside or outside the EU.  This means that a third country can only be considered to provide “adequate” protection to EU citizens’ personal data when that country itself has strong data protection laws.  The protection provided in a third country need not be identical, but must provide an “essentially equivalent” protection to that guaranteed under EU law.
  • Legislation, whether in the EU or the U.S., cannot legitimately authorize mass or generalized surveillance of EU citizens’ data.
  • The power of local data protection authorities (“DPAs”) to investigate data protection breaches cannot be restricted by the Commission.


Continue Reading Debate in the European Parliament’s LIBE Committee on the Schrems ruling

On August 29, 2015, China’s legislature, the National People’s Congress, amended the Criminal Law, effective November 1, 2015. Among other things, the amendments modify and add several provisions related to data privacy and cybersecurity. We discuss some of these key amendments below.
Continue Reading China Amends Criminal Law Related to Data Privacy and Cybersecurity

On July 6, 2015, China’s National People’s Congress (NPC) released a draft of the Network Security Law  (“Draft Law,” referred to in some press articles as the draft Cybersecurity Law) for public comment.  Comments can be submitted through the NPC website or by mail before August 5, 2015. The release of the Draft Law follows closely on the heels of the new National Security Law that was enacted last week (see Covington blog post here).

This Draft Law, initially reviewed by the NPC in June, would apply broadly to entities or individuals that construct, operate, maintain, and use networks within the territory of China, as well as those who are responsible for supervising and managing network security. A number of the provisions in this Draft Law, if enacted in their current form, are likely to significantly impact information and communications technology (“ICT”) and other companies with business operations or interests in China.

Those that most merit the close attention of companies are those that relate to (1) the “secure” operations of networks and “critical information infrastructure,” and (2) data protection. This post focuses on the latter.
Continue Reading China Releases Draft of New Network Security Law: Implications for Data Privacy & Security

Yesterday, the U.S. Supreme Court granted certiorari and agreed to consider Campbell-Ewald Company v. Gomez, in which the U.S. Court of Appeals for the Ninth Circuit held that a consumer’s failure to accept an advertiser’s settlement offer that would fully satisfy the consumer’s claim did not render moot either the consumer’s individual claim under the Telephone Consumer Protection Act (TCPA) or his putative class action, arising from the alleged transmission of unsolicited automated text messages.
Continue Reading Supreme Court to Consider Whether A Settlement Offer for Complete Relief Moots a Plaintiff’s TCPA Claim