US-EU Safe Harbor Deadline Passes Without A New Data Transfer Deal

According to The New York Times, United States (US) and European Union (EU) officials were unable to reach an agreement on an updated International Safe Harbor agreement before the January 31st deadline. The agreement covered how digital data (i.e. social media content, financial data, etc..) could be transferred between the continents.

The Safe Harbor Agreement that was implemented in 2000 between the US and EU contained principles that allowed companies (i.e. tech companies and other multi-national companies) to comply with EU data protection laws when moving data from Europe to the United States.  US companies that process and/or store individuals' data may self certify that they adhere to 7 principles that comply with the EU's data protection laws.

The 7 principles include:  notice, choice, onward transfer, security, data integrity, access, and enforcement.  The initial Safe Harbor agreement was meant to be an interim agreement; however, it lasted approximately 15 years.  A couple of years ago, EU and US regulators began negotiating an updated agreement to take into account how technology has changed over the years. Last October, before a new agreement was finalized, the current one was invalidated by the European Court of Justice via a compliant from Austrian privacy advocate Max Schrems.  Mr. Schrems gained publicity several years ago for his privacy advocacy that was highlighted in the documentary Terms and Conditions May Apply when he demonstrated how much data Facebook was collecting about each of its EU users.  

Now that the deadline has passed, what comes next?  According to The New York Times, the sides still have a lot of details to work out. Therefore, until a formal announcement is made it is premature to speculate on the next step.  As I told LAW360 the other day, businesses need certainty regarding transatlantic data transfers and if an agreement is not forthcoming companies will need a Plan B. 

If consumer groups file complaints as The New York Times indicated may occur, these issues may need to be adjudicated via the courts. At this point, uncertainty is the status quo and this may create unintended service disruptions for companies that transfer digital data between the continents. My hope is that an agreement is reached sooner rather than later that is flexible enough to account for future technology changes.  

Copyright 2016 by The Law Office of Bradley S. Shear, LLC All rights reserved.

U.S. Must Pass Judicial Redress Act To Demonstrate International Privacy Leadership

The recent invalidation of the U.S.-E.U. Safe Harbor Agreement by the European Union Court of Justice has demonstrated that the U.S. must enact privacy laws that protect non-U.S. citizens from law enforcement over reach.  The Snowden NSA revelations that were first revealed in 2013 not only angered many American citizens and civil rights advocates, but they also created a schism with Europe regarding government surveillance and digital privacy.

   

For the past 15 years, companies that do business across the Atlantic have relied on the U.S.-E.U.Safe Harbor Agreement to transfer personal data from the E.U. to the U.S. While this agreement was not perfect, it created a mechanism that was consistent with E.U. data protection directives that enabled companies to process and utilize personal digital data without running afoul of E.U. privacy laws.

Austrian privacy advocate Max Schrems' challenge against Facebook regarding how it handles the data it collects from E.U. users was the catalyst behind the demise of Safe Harbor.  E.U.data protection authorities have given lawmakers in the U.S. and the E.U. three months to negotiate a new treaty to replace the Safe Harbor’s data privacy protocols.  Under E.U. law, personal information may be exported if it is provided the same protections that are offered in the E.U. 

U.S. digital privacy protections are generally stuck in the 1980’s and many of our laws did not anticipate how technology would change over time.  While privacy has been a fundamental human right in the E.U. since 1950, U.S. digital privacy rights have been slow to evolve to catch up with how we are utilizing the many life changing services and devices that are now being deployed. 

Congress is working on strengthening our digital privacy rights but the process has been slow and arduous.  Fortunately, yesterday’s passage of the Judicial Redress Act in the U.S. House of Representatives which will enable foreign citizens to have the same legal rights as U.S. citizens if law enforcement violates their personal privacy rights is a step in the right direction.  While the bill still must be passed in the Senate and signed by the President to become law, this development demonstrates that we are on the right track and hopefully this will help lead to a new U.S.-E.U. Safe Harbor data agreement.  

This legislation and others such as ECPA reform, and the Law Enforcement Access To Data Stored Abroad Act (LEADS) are much needed bills that must be enacted to demonstrate that we will be a beacon for digital privacy rights.  We can have both privacy and security while respecting fundamental human rights.  However, we must showcase this leadership by enacting digital privacy laws that equally protect both U.S. and foreign citizens.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.   

U.S. Dept. Of Justice v. Microsoft: The Fight For Digital Privacy

Last week, the U.S.government issued new guidance regarding when and how federal law enforcement may deploy cell phone site simulators (i.e. stingray technology) that collect consumer mobile phone/digital device data.  In general, the U.S. Department of Justice (DOJ) will now require federal officials obtain a warrant to deploy these technologies and utilize the data collected.  This change in policy signals that the U.S. government is beginning to understand that it must create reasonable rules and procedures regarding the collection and usage of digital evidence that adheres to the principles of the Fourth Amendment. 

While the federal government has changed its policy regarding the use of cell site simulators, I am perplexed that it hasn’t changed its position about some other digital data privacy issues. For example, in a New York City federal appeals courtroom later this week the DOJ will be squaring off against Microsoft in a matter about digital privacy law that has tremendous international ramifications.  In short, the federal government wants to be able to require U.S. based companies to turn over digital data that is held in foreign based servers without being required to follow the evidence collection laws of the countries where the data is located.  This position is very troubling and goes against well-established national and international law regarding the collection and usage of evidence. 

In general, to obtain physical evidence law enforcement must follow the laws of the jurisdiction where it is located.  In some circumstances jurisdiction occurs by citizenship.  However, here the data is located outside the U.S. and the user (DOJ target) doesn't appear to be American.  Under these facts, I question the DOJ's theory as to why it has the legal authority to obtain the requested information without the cooperation of the government of Ireland.  

The DOJ is arguing that data stored in digital clouds should be treated differently than evidence stored in physical filing cabinets.  Interestingly, the DOJ has so far won its flawed argument in federal court so Microsoft has taken its fight to the federal second circuit  court of appeals.  

Multiple academics (i.e. here and here) have previously written about this case (and so have I) because it sounds like a law school final exam.  For non-lawyers this means that the law is not clear on how to handle this specific situation.  If general jurisprudence on how to handle physical evidence is followed, the DOJ would be required to contact law enforcement agencies in the country (in this case it is Ireland) where the digital data is located.  However, since this is technology, and the information requested is stored in the cloud the courts are grappling with how to handle these issues.

DOJ is claiming (among other things) that since Microsoft (i.e. or other technology providers) has legal control over its servers in Ireland it should be required to turn over the data requested without going through the legal process in Ireland.  With this same argument, a foreign government could in turn claim that it doesn’t have to follow U.S. law when demanding access to U.S. consumer digital data located in the U.S. if the server provider has operations in that foreign country.

If the DOJ wins its legal argument, in addition to foreign governments making the same access demands to digital accounts located in the U.S., a win may also encourage U.S. tech companies to change the legal structure of their foreign subsidiaries to be able to legitimately claim that they do not have the authority to access and/or turn over customer data located in a foreign country.  This may lead to many high paying jobs being transferred from the U.S. to other countries to oversee the operations of these new legal entities. 

Amicus briefs from not only other technology companies, but also from civil rights groups, academic scholars, and privacy advocates supporting Microsoft's position demonstrate that this case is more than just about protecting the bottom line of the U.S. cloud industry. This case goes to the heart of the proper way to handle unique digital law and public policy issues.  Whether its through the federal courts, or via congressional action such as the Law Enforcement Access To Data Stored Abroad (LEADS) Act, or other similar legislation, the U.S. must set an example and take a leadership role on how to properly balance lawful access with personal privacy.  

Regardless of the outcome of this case, it is imperative that a broad international discussion occur on how to handle this and similar burgeoning digital law and public policy issues.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.  

Warrants Must Be Required for Digital Data Access

Growing up, I enjoyed watching L.A. Law and Law & Order.  So it was at a relatively young age that I learned that a warrant was required for the police to search your home and personal belongings. In law school, my criminal law classes focused on the need for the police to follow proper legal procedures to obtain a search warrant. Case after case demonstrated that the Fourth Amendment protects us against unreasonable searches and seizures—a basic tenet of American jurisprudence.

When I began practicing law at the dawn of the Internet Age, I soon realized that in the digital space, this long-held, common-sense approach to law enforcement searches is not always applicable. Surprisingly, searches in the physical world almost always require a warrant while searches in the “digital world” generally do not.  Under the 1986 Electronic Communications Privacy Act (ECPA), enacted with 1980s technology in mind, the legal need for a warrant to access one’s personal digital content depends on the type of technology utilized to store the data and how old the correspondence is.   

According to an Electronic Information Privacy Center (EPIC) analysis of ECPA, the backbone of U.S. digital privacy law, law enforcement does not need a warrant to access both opened and unopened emails stored in the cloud for more than 180 days.  In contrast, emails located on a home hard drive and opened emails that are less than 180 days old require a warrant.

The deficiencies in this approach are becoming more apparent every day.  For example, law enforcement agencies across the country are using mobile devices called Stingrays  to collect information that is stored on our cell phones and other digital devices without warrants. Law enforcement has refused to discuss, even in court, the technology utilized in Stingray devices. And this is just one example of overreach.    

Our current legal framework worked best in 1986. ECPA made sense then because lawmakers didn’t envision people storing thousands of personal files for years on remote or cloud-based servers.  In 1986, these technologies did not exist.  Over the past 30 years, technological innovation has changed how we create, access, process, and archive digital content.  Today, many people store personal emails and data in the cloud or apps.  Due to the growing interconnectedness of our society, many of these platforms have servers located around the globe.  At any given time, our data may be processed, archived, or stored in servers anywhere in the world.        

Whether a warrant is required to access one’s digital data should not depend on the age of the content, the technology utilized to store the information, or the location of the data.  In the face of ECPA’s limitations, some states, such as Virginia and California, have enacted laws requiring a warrant before Stingray technology may be deployed.  A forward-thinking national law that requires a warrant to access digital content regardless of data’s age or the type of storage technology utilized is needed. 

Fortunately, Congress has recently proposed a bipartisan fix to this problem with the introduction of the Law Enforcement Access to Data Stored Abroad Act (LEADS).  This bill offers a well-balanced approach that requires law enforcement to obtain a warrant when it wants access to personal digital content.  If data is located on an app or a server that is located overseas, it requires law enforcement to follow the legal process required to obtain the information in the jurisdiction where the content is located.  This common-sense approach ensures that personal information is treated equally whether located in the physical or the digital world.   

It’s time for the United States to demonstrate leadership on digital privacy issues. A step in the right direction would be to enact the bipartisan LEADS Act.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.         

White House Releases Disappointing Consumer Privacy Draft Bill

Privacy in school, at home, and at work has become a very hot topic over the past several years due to the increased amount of our everyday activities that are being digitized.  Earlier today, The White House released an administration discussion draft of the President's vision for enhanced consumer privacy protections.  Unfortunately, the proposal appears to fall short. 

According to Jeff Chester of the Center for Digital Democracy, the draft is "a big victory for the tech industry because it really sidelines the FTC and removes it as an effective force."  Alvaro Bedoya, director of the Center on Privacy and Technology at Georgetown's law school believes that Obama's bill may preempt state laws, in favor of letting companies collect what they want as long as they maintain some level of transparency.  These concerns are very real and demonstrates that The White House needs to rethink its approach. 

The FTC also weighed in and stated, "[w]e are pleased that the Administration has made consumer privacy a priority, and this legislative proposal provides a good starting point for further discussion. However, we have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy. We look forward to working with Congress and the Administration to strengthen the proposal.”

I agree with above sentiments and hope this draft spurs a robust conversation on digital privacy and technology.  Absent stronger privacy protections, digital platform users will be discriminated against based upon their age, race, religion, sex, sexual orientation, physical/mental impairments, etc....There needs to be not only mandatory industry transparency but also stronger regulation on data collection and utilization practices.  Federal legislation should be a floor and not a ceiling for privacy protections and the FTC needs to be provided enhanced regulatory enforcement powers.

I want my children to grow up with the same expectation of privacy I had as a kid and I don't want them to fear that their emails, Internet searches, and digital activity will be utilized to create robust profiles about them which will affect their schooling, career prospects, and ability to obtain insurance, etc...

I fight for our digital privacy because it is the right thing to do.  I encourage those who believe we have an expectation of privacy in the Digital Age to contact The White House and their federal and state lawmakers to tell them to make stronger digital privacy protections a priority this year. 

Copyright 2015 by Shear Law, LLC All rights reserved.

Law Enforcement Access To Data Stored Abroad Act Introduced

Late last week, Sen. Orrin Hatch of Utah introduced the Law Enforcement Access To Data Stored Abroad Act (LEADS Act) which would require law enforcement to obtain a warrant under the Electronic Communication Privacy Act (ECPA) to obtain the content of subscriber communications from an electronic communications or cloud computing service.  According to Sen. Hatch, the legislation would "strengthen privacy in the digital age and promote trust in US technologies worldwide by safeguarding data stored abroad, while still enabling law enforcement to fulfill its important public safety mission".

The LEADS Act appears to have been introduced in response to an ongoing federal court case that required a U.S. email service provider to turn over customer emails that are stored in Ireland in response to a U.S. warrant instead of going through the proper legal channels in Ireland.  This ruling was very troubling because it disregarded European digital privacy laws.  Unless this decision is reversed, it may encourage foreign countries to ignore U.S. privacy laws when demanding access to their citizens digital content that is located in the U.S.    

The passage of the LEADS Act is needed not only to better protect digital privacy, but also from a business perspective.  According to The New York Times, the U.S. cloud computing industry may lose tens of billions of dollars in business because international companies and governments have lost confidence in U.S. technology companies due to the NSA surveillance programs that Edward Snowden exposed in 2013.  Forrester Research has indicated that these losses could be as high as $180 billion dollars for U.S. based firms.

As a lawyer who focuses on privacy and cyber security matters, I have seen some of my clients change their communication habits based upon the information obtained from the NSA documents leaked by Snowden.  Even though I am a proponent of utilizing cloud platforms, due to the troubling state of our digital privacy protections and an increase in hacking incidents, I have been encouraging some of my clients to conduct more business in person and/or on the phone until the U.S. enacts stronger digital privacy laws.  In some instances, I am advising clients to go "old school" and send more physical packages via personal courier or a trusted commercial parcel service.

Unless there are digital exigent circumstances, the government should generally be required to obtain a warrant to access our electronic communications.  Since law enforcement officials generally need a warrant to search our physical homes and businesses, the same standard should apply to our digital homes and businesses.

The LEADS Act is a sensible bill that will help protect online privacy and bring digital public policy into the 21st century.  With more of our personal and business communications occurring digitally, it is imperative that our electronic communications receive the same protections as our "old school" pen and paper documents.

Copyright 2015 by Shear Law, LLC All rights reserved.