In March, the Supreme Court issued its decision in Federal Bureau of Investigation v. Fazaga, No. 20-828, holding that the state secrets privilege—and its dismissal remedy—applies to cases that may also be subject to the judicial review procedures set forth in the Foreign Intelligence Surveillance Act (“FISA”). In so holding, the Court reversed the Ninth Circuit’s 2020 ruling that FISA displaces the state secrets privilege in cases involving electronic surveillance.
Continue Reading Supreme Court Holds FISA Does Not Displace the State Secrets Privilege
Surveillance
New Jersey Law Requires Employers to Provide Notice Before Tracking Vehicles
On January 18, 2022, a New Jersey bill which prohibits employers from making use of tracking devices in vehicles operated by employees without providing written notice was passed into law. See Assembly Bill A3950. Effective April 18, 2022, the law will subject employers that knowingly make use of a “tracking device” in a vehicle used by an employee without providing written notice to the employee to civil penalties not exceeding $1,000 for the first violation and not exceeding $2,500 for the second violation. Id.
Continue Reading New Jersey Law Requires Employers to Provide Notice Before Tracking Vehicles
U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II
In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.” The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country. According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”
The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.” It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II
United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home
On June 16, 2020, the First Circuit released its opinion in United States v. Moore-Bush. The issue presented was whether the Government’s warrantless use of a pole camera to continuously record for eight months the front of Defendants’ home, as well as their and their visitors’ comings and goings, infringed on the Defendants’ reasonable expectation of privacy in and around their home and thereby violated the Fourth Amendment. The appeal followed the district court’s decision in June 2019 in favor of Defendants’ motions to exclude evidence obtained via the pole camera. The Government, without obtaining a warrant, had installed a pole camera on a utility pole across the street from Defendants’ residence. The pole camera (1) took continuous video recording for approximately eight months, (2) focused on the driveway and the front of the house, (3) had the ability to zoom in so close that it can read license plate numbers, and (4) created a digitally searchable log.
In their motions to exclude, the Defendants, relying on Katz v. United States, argued they had both a subjective and objective reasonable expectation of privacy in the movements into and around their home, and that the warrantless use of the pole camera therefore constituted an unreasonable search under the Fourth Amendment. The Government relied on an earlier First Circuit case, United States v. Bucci, which held that there was no reasonable expectation of privacy in a person’s movements outside of and around their home—“An individual does not have an expectation of privacy in items or places he exposes to the public.” Thus, Bucci held that use of a pole camera for eight months did not constitute a search.
Continue Reading United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home
AI/IoT Update: UK’s Information Commissioner Issues Opinion on Use of Live Facial Recognition Technology by Police Forces
On October 31, 2019, Elizabeth Denham, the UK’s Information Commissioner issued an Opinion and an accompanying blog urging police forces to slow down adoption of live facial recognition technology and take steps to justify its use. The Commissioner calls on the UK government to introduce a statutory binding code of practice on the use of biometric technology such as live facial recognition technology. The Commissioner also announced that the ICO is separately investigating the use of facial recognition by private sector organizations, and will be reporting on those findings in due course.
The Opinion follows the ICO’s investigation into the use of live facial recognition technology in trials conducted by the Metropolitan Police Service (MPS) and South Wales Police (SWP). The ICO’s investigation was triggered by the recent UK High Court decision in R (Bridges) v The Chief Constable of South Wales (see our previous blog post here), where the court held that the use of facial recognition technology by the South Wales Police Force (“SWP”) was lawful.
The ICO had intervened in the case. In the Opinion, the Commissioner notes that, in some areas, the High Court did not agree with the Commissioner’s submissions. The Opinion states that the Commissioner respects and acknowledges the decision of the High Court, but does not consider that the decision should be seen as a blanket authorization to use live facial recognition in all circumstances.Continue Reading AI/IoT Update: UK’s Information Commissioner Issues Opinion on Use of Live Facial Recognition Technology by Police Forces
UK Court upholds police use of automated facial recognition technology
R (on the application of Edward Bridges) v The Chief Constable of South Wales [2019] EWHC 2341 (Admin)
Case Note
Introduction
In Bridges, an application for judicial review, the UK High Court (Lord Justice Haddon-Cave and Mr. Justice Swift) considered the lawfulness of policing operations conducted by the South Wales Police force (“SWP”) which utilised Automated Facial Recognition (“AFR”) technology. The Court rejected Mr Bridges’ allegations that the SWP’s conduct was unlawful as contrary to the European Convention on Human Rights (“ECHR”), Article 8, the Data Protection Acts 1998 and 2018 (“DPA 98 and 18”), and the Equality Act 2010. In this blog post we consider several key aspects of the case.Continue Reading UK Court upholds police use of automated facial recognition technology
European Data Protection Board Releases Report on the Privacy Shield
On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield, including in particular the recent appointment of a permanent Ombudsperson. But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.
The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU. The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield. The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.
Continue Reading European Data Protection Board Releases Report on the Privacy Shield
Future of Privacy Forum: Privacy Papers for Policymakers 2018
On the heels of the Federal Trade Commission’s (“FTC”) third annual “PrivacyCon,” the Future of Privacy Forum hosted its eighth annual “Privacy Papers for Policymakers” event on Capitol Hill—a gathering in which academics present their original scholarly works on privacy-related topics to D.C. policy wonks who may have a hand in shaping laws and regulations at the local, federal, and international level. The goal of the event is, in part, to foster academic-industry collaboration in addressing the world’s current and emerging privacy issues.
FTC Commissioner Terrell McSweeny kicked off the program with a reminder of the unique challenge that has always faced the world of tech policy: the rapid acceleration of the Digital Age and the need for consumer rights to catch up. Commissioner McSweeny opined that the challenge may require some solutions that go beyond privacy—such as individual control over personal data, data portability, and governance by design—and pointed out several ways in which the honored papers may help spur the evolution of existing privacy frameworks:
Continue Reading Future of Privacy Forum: Privacy Papers for Policymakers 2018
European Parliament Approves EU-U.S. Umbrella Agreement
Yesterday, the European Parliament voted to approve the EU-U.S. Umbrella Agreement, a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S. As we previously explained, negotiations on this Agreement have been underway for quite some time, with the European Parliament first calling for it back in March 2009.
According to the European Commission’s fact sheet, the Agreement “puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation.” Specifically, the Umbrella Agreement includes the following protections:
- Data Use Limitations
- Onward Transfer Requirements
- Publicly Available Retention Periods
- Access and Rectification Rights
- Data Breach Notification
- Judicial Redress and Enforceability
Continue Reading European Parliament Approves EU-U.S. Umbrella Agreement
Advocacy Group Letter Opposes Privacy Shield
Yesterday, a group of twenty-seven privacy and civil liberties organizations sent a letter to EU officials opposing the EU-U.S. Privacy Shield, which was released last month and is currently being reviewed by the Article 29 Working Party in the EU. According to the letter, the Privacy Shield “manifestly fails” to…
Continue Reading Advocacy Group Letter Opposes Privacy Shield