Lawful Access to Encrypted Data Act Introduced

By Trisha Anderson, Alexander Berengaut, Jim Garland and Chloe Goodwin on Posted in Congress, Electronic Surveillance and Law Enforcement Access, Surveillance

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data.  The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion.  It would also apply to both criminal and national security legal process.  This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data.  According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”

The bill has three main provisions: Continue Reading

China Issued the Draft Data Security Law

By Yan Luo and Zhijing Yu on Posted in China, Data, Data Security, International

On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment.  The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus on the governance of “important data,” defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.”  Many provisions of the Draft Law remain vague and lack guidance on how they might be implemented in practice.

Continue Reading

FCC Issues Two TCPA Declaratory Rulings, One Clarifying Autodialer Definition

By Rafael Reyneri on Posted in Federal Communications Commission, TCPA

Earlier this week, the Federal Communications Commission’s (FCC’s) Consumer and Government Affairs Bureau released a Declaratory Ruling clarifying the agency’s interpretation of the “Automatic Telephone Dialing System” (an “autodialer” or “ATDS”) definition in the Telephone Consumer Protection (TCPA).  The Ruling clarified that, in the context of a call or text message platform, the definition does not turn on whether the platform is used by others to transmit a large volume of calls or text messages; instead, the relevant inquiry is whether, in this context, the platform is capable of transmitting calls or text messages without a user manually dialing each such call or text message.

The Declaratory Ruling was issued in response to a Petition filed by the P2P Alliance  seeking confirmation that its text messaging platform is not an autodialer and therefore not subject to the TCPA’s ATDS-related consent requirements.  These requirements generally prohibit using an ATDS to call or text a mobile number without the recipient’s consent.  The Petition stated that the text messaging platform at issue required users of the platform “to actively and affirmatively manually dial each recipient’s number and transmit each message one at a time.”  The Petition also stated that recipients generally would provide their consent to receive such messages by providing their mobile numbers to the platform’s users. Continue Reading

FERC Requests Comments on Grid Cybersecurity Initiatives

By Inside Privacy on Posted in Cybersecurity

In a new post on the Covington Energy & Environment Blog, our colleagues discuss the Federal Energy Regulatory Commission’s Notice of Inquiry on updating reliability standards related to cybersecurity, especially given the threat of a coordinated cyberattack targeting geographically distributed generation resources.  The Commission also issued a staff paper that suggests a framework for providing incentives in transmission rates for cybersecurity investments.  To read the post, please click here.

PACT Act Would Deny Section 230 Immunity in Certain Instances and Impose Greater Transparency, Process, and Enforcement Mandates

By Calvin Cohen on Posted in Congress, Social Media, United States

Continuing the flood of recent proposals to amend the scope of Section 230 of the 1996 Communications Decency Act, a bipartisan group of Senators unveiled the Platform Accountability and Consumer Transparency Act (“PACT Act”) last week.  Proposed by Senators Brian Schatz (D-HI) and John Thune (R-SD), the PACT Act comes on the heels of legislative proposals from Senate Republicans, a Department of Justice report with proposed amendments to the law—both of which we analyzed here—and the Trump Administration’s executive order on Section 230.

The PACT Act would amend Section 230 to include an “intermediary liability standard.”  Under this standard, Section 230’s immunity protections would no longer apply to any interactive computer service provider that “has knowledge” of any illegal content or illegal activity occurring on their service and that “does not remove the illegal content or stop the illegal activity within 24 hours of acquiring that knowledge.”  “Knowledge” of the illegal content requires notification in writing that identifies the illegal content or activity with “information reasonably sufficient to permit the provider to locate” it, as well as a copy of the Federal or State court order determining such content violated Federal law or State defamation law. Continue Reading

European Commission Publishes 2-Year Report on the Implementation of the GDPR

By Dan Cooper, Kristof Van Quathem, Nicholas Shepherd and Anna Oberschelp de Meneses on Posted in Data Privacy, EU Data Protection, European Union, Internet of Things (IoT), Online Targeting, Privacy and Data Security

On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect.  The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other stakeholders.  The assessment considers a wider scope of issues surrounding GDPR implementation beyond international transfers and the cooperation and consistency mechanisms, the two topics the Commission is specifically tasked to consider under Article 97 of the GDPR.

The Commission’s overall conclusion is that the GDPR has successfully achieved its objectives of enhancing the protection of personal data and improving the free flow of personal data within the EU.  The Commission specifically highlights the key role that the GDPR plays in the EU’s “human-centric approach to technology,” and notes that it will serve as a guiding legal framework for the EU as it rolls out its broader Data Strategy.  The Commission also notes the impact that the GDPR has had worldwide, inspiring new or elevated standards for data protection in many countries, and serving as a “global standard-setter” for regulating the digital economy.

Notwithstanding these achievements, the Commission also makes clear that there are a number of areas for improvement.

Continue Reading

United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home

By Trisha Anderson, Alexander Berengaut and John Fraser on Posted in Emerging Technologies, Litigation, Surveillance

On June 16, 2020, the First Circuit released its opinion in United States v. Moore-Bush.  The issue presented was whether the Government’s warrantless use of a pole camera to continuously record for eight months the front of Defendants’ home, as well as their and their visitors’ comings and goings, infringed on the Defendants’ reasonable expectation of privacy in and around their home and thereby violated the Fourth Amendment.  The appeal followed the district court’s decision in June 2019 in favor of Defendants’ motions to exclude evidence obtained via the pole camera.  The Government, without obtaining a warrant, had installed a pole camera on a utility pole across the street from Defendants’ residence.  The pole camera (1) took continuous video recording for approximately eight months, (2) focused on the driveway and the front of the house, (3) had the ability to zoom in so close that it can read license plate numbers, and (4) created a digitally searchable log.

In their motions to exclude, the Defendants, relying on Katz v. United States, argued they had both a subjective and objective reasonable expectation of privacy in the movements into and around their home, and that the warrantless use of the pole camera therefore constituted an unreasonable search under the Fourth Amendment.  The Government relied on an earlier First Circuit case, United States v. Bucci, which held that there was no reasonable expectation of privacy in a person’s movements outside of and around their home—“An individual does not have an expectation of privacy in items or places he exposes to the public.”  Thus, Bucci held that use of a pole camera for eight months did not constitute a search. Continue Reading

French Council of State Decides that the French Supervisory Authority Cannot Prohibit Cookie Walls

By Kristof Van Quathem, Dan Cooper and Anna Oberschelp de Meneses on Posted in Data Privacy, European Union

On June 19, 2020, the French Council of State (Conseil d’État) decided that the French Supervisory Authority (“CNIL”) had gone too far in its guidance on cookies and similar technologies when it stated that conditioning a user’s access to a website upon his or her acceptance of certain cookies (commonly known as “cookie walls”) is never compliant with the consent requirements in the EU General Data Protection Regulation (“GDPR”).

According to the Council of State, such a blanket prohibition cannot be deduced from the text of the GDPR. The Council of State reminded the CNIL that its guidance is only soft law and therefore must follow the text of the GDPR. The CNIL has announced that it will adapt its guidance in light of the Council of State’s decision. The decision serves as a stark reminder that even EDPB or CNIL guidance is can only interpret the text of the GDPR, and cannot break fresh legal ground. Continue Reading

FTC and NAD Actions Highlight Continued Scrutiny of Online Reviews

By John Graubert, Laura Kim, Nicole Roberts and Ryan Miller on Posted in Advertising & Marketing, Federal Trade Commission

As consumers rely more and more on the “independent” reviews of their peers in choosing products and services, advertisers need to remain vigilant that their role (if any) in disseminating such reviews is fairly disclosed, accurate and not misleading.  The pitfalls in this area were recently illustrated by a pair of enforcement actions brought by the Federal Trade Commission and the National Advertising Division of the Better Business Bureau.  These actions, the latest in a series of similar enforcement efforts, confirm that review sites remain a hotbed of enforcement activity, and both actions serve as good reminders of the standards that review sites must observe to avoid similar actions.

The first of these actions is an FTC enforcement against LendEDU, which centered around the “objective,” “honest,” “accurate,” and “unbiased” rankings of financial products that LendEDU posted to its review site.  The FTC alleged that, far from being objective and honest, these rankings were in fact determined based on compensation from the companies being ranked.  In addition, the FTC alleged that over ninety percent of LendEDU’s “unbiased” positive reviews were in fact written by LendEDU employees and their friends and families. Continue Reading

Twin Proposals Would Reform Section 230’s Liability Protections and Broadly Affect Online Content

By Calvin Cohen on Posted in Congress, Department of Justice

On Wednesday, two proposals were unveiled that would reform the scope of Section 230 of the Communications Decency Act of 1996.  Section 230 immunizes online platforms from civil liability based on third-party content, and provides immunity for acting in “good faith” to restrict or remove content that is “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”

Continue Reading

LexBlog